• 07948 570815
  • This email address is being protected from spambots. You need JavaScript enabled to view it.


What is penetration testing?

What is penetration testing?

A penetration test or "pen test" in security terms is a simulated attack on your systems, allowed by you in order to find out how good your infosecurity posture actually is.

Beyond that, there's no strict definition of what's involved so if you think this sort of exercise could benefit your business, it's important to start by defining your goals, and what actions you hope to take once you have the results.

For example, are you worried about keeping hackers out or are you more concerned about vulnerabilities that could be exploited in order to access your data? How deep do you want to go, and how much time and money are you prepared to invest in mitigating any risk uncovered? These are some of the main questions that are asked.


Know your goals

To get the best from a penetration test you need to set strict and specific parameters. If you were hoping to ask the testers to simply "see what they can find", you may well discover that what comes back overlooks issues that are critical to your business. It's important to put structure and goals in place for testing and avoid a haphazard approach. By defining what you want to get out of the test early on, you'll be able to judge its success in the results.

Who are these pen testers? Are they safe to use?

These aren't hackers they're highly trained security professionals. If you must use the word, "ethical hacker" or "white hat hacker" might fit, but "security consultant" is more exact. These professionals mimic tactics used by cyber criminals to test the strength of a business’s security infrastructure. This helps to identify weaknesses in your security that can be addressed before you fall victim to a real cyber attack.

When dealing with your organisation's security, it's always worth raising the question of trust. With pen testing there are two recommended courses of action: you could use a service with a good pedigree of recommendations from previous customers, or you could select an agency that only uses testers who are accredited by an industry certification body called CREST. This ensures that they have passed rigorous certification exams and signed up to enforceable codes of conduct.

cyber NumbersAlso see: What is ethical hacking exactly?

What actually happens in a penetration test?

As we've noted, it depends on exactly what you have commissioned. Typically, though, pen testers perform both external tests, which target the servers and hardware that any hacker would be able to see, and internal tests, which simulate what would happen if those hackers made it past the perimeter and got inside your network or if an employee wanted to cause trouble. Both approaches can be revealing and combined they can provide a good indication of your real-world security position.

Will it interfere with my business?

In a word 'no'. An external test may be almost invisible (although, if you have a good security infrastructure, it will hopefully flag up any suspicious connection attempts). An internal test needn't be much more invasive: the tester simply requires access to your network so they can mimic the actions of a hacker. Your resources will not be stretched and your business can carry on as normal.

white hat hackersAlso see: What are White hat hackers?

Photo by Florian Olivo on Unsplash



Newsletter Subscribe


More From Our Blog