Penetration Testing Guide — What It Is, What It Costs, and What You Actually Get

Penetration testing: a structured, authorized attempt to exploit vulnerabilities in your systems before attackers do. Real humans using real attack techniques against your real environment, under contract, with a defined scope. The goal is not to break things — it's to find the paths an attacker would use to cause damage, document them, and give you a prioritized remediation roadmap.

What it is not: a vulnerability scan. Automated scanners identify known vulnerabilities. Pen testers exploit them — and find the logical, configuration, and chaining vulnerabilities that scanners miss. A $500 automated scan report is not a penetration test.

Not a one-time certification: your environment changes constantly. A pen test is a point-in-time assessment. Annual testing for most environments, more frequent for high-risk or rapidly changing environments.

Why companies do it: compliance requirements (SOC 2, PCI-DSS, HIPAA, CMMC, ISO 27001), cyber insurance applications, customer/partner security questionnaires, post-incident validation, proactive security program hygiene.

• Network penetration test (external): testing internet-facing systems — firewalls, web servers, VPN concentrators, email gateways, DNS, cloud infrastructure — from outside your network, as an attacker would approach. The most commonly required test type.
• Network penetration test (internal): testing from inside your network, simulating a malicious insider or an attacker who has already breached your perimeter. Often more impactful findings than external — most organizations have flat internal networks once the perimeter is breached.
• Web application penetration test: testing a specific web application (customer portal, SaaS product, web-based tools) for OWASP Top 10 vulnerabilities — injection, broken authentication, XSS, IDOR, insecure deserialization, and others. Required for SOC 2 and many compliance programs. Priced per application.
• Mobile application penetration test: iOS and Android app testing for client-side vulnerabilities, insecure data storage, improper session management, and API security.
• Social engineering / phishing test: simulated phishing campaigns to measure employee susceptibility. Not just click rates — good providers also test callback vishing, physical pretexting, and follow through to credential harvest to demonstrate business impact.
• Cloud configuration review: assessment of AWS, Azure, or GCP configuration for misconfigurations — overly permissive IAM policies, exposed storage buckets, unencrypted data, insecure networking. Not a traditional pen test but often more impactful given cloud misconfiguration is a leading breach cause.
• Red team engagement: a full-scope, multi-vector, long-duration adversary simulation. Combines social engineering, physical access, network exploitation, and lateral movement to demonstrate real attacker dwell time and impact. For mature organizations with established security programs. Not a starting point.
• Purple team exercise: collaborative engagement where the red team attacks and the blue team (your SOC or MDR) detects and responds in real time. Tests detection and response capability, not just vulnerability identification.

Black box: tester has no information about the target — same starting position as an external attacker. Most realistic simulation of an external threat. Least efficient use of time.

Grey box: tester has partial information — network diagrams, user credentials, application documentation. Tests more of the attack surface in a fixed timeframe. Most common approach for web application and internal network tests.

White box (crystal box): tester has full information — source code, architecture diagrams, admin access. Most thorough. Best for secure code review and finding deep architectural vulnerabilities. Least realistic external threat simulation.

Recommendation: external network tests are typically black box, internal network and web application tests are typically grey box. White box for code-level security review.

Scoping: defining exactly what systems are in scope, what is explicitly out of scope (production systems that could be disrupted), testing windows (business hours vs 24/7), and escalation procedures if a critical finding is encountered.

Rules of engagement: what testers are and aren't allowed to do. Denial of service is typically excluded. Social engineering scope must be explicitly defined.

Testing phase: 1-5 days for most SMB external tests, 3-10 days for web application tests, 1-3 weeks for internal network tests or red team engagements.

Reporting: the deliverable. A professional pen test report includes: executive summary (business risk language for leadership), technical findings with CVSS scores, proof of concept evidence (screenshots, output), remediation guidance for each finding, overall risk rating.

Debrief: a live call to walk through findings with the technical team. Good testers will explain how they exploited the vulnerability and what a real attacker would do next. This is where institutional knowledge transfers.

Retest: after you remediate findings, a retest validates that fixes are effective. Some engagements include one free retest; others charge separately.

Critical (CVSS 9.0-10.0): remote code execution, unauthenticated admin access, SQL injection with database exfiltration. Direct path to data breach or full system compromise. Fix immediately.

High (CVSS 7.0-8.9): authenticated RCE, significant privilege escalation, exposed sensitive data without authentication, critical misconfiguration. Fix within 30 days.

Medium (CVSS 4.0-6.9): session management issues, missing security headers, XSS requiring user interaction, internal network exposure. Fix within 90 days.

Low (CVSS 0.1-3.9): informational disclosures, minor misconfigurations, best practice deviations. Address in next scheduled maintenance cycle.

Informational: observations that don't represent vulnerabilities but may be useful context.

• • External network test (up to 10 IPs): $2,500-$6,000
• • External network test (50-100 IPs): $5,000-$15,000
• • Internal network test: $8,000-$20,000
• • Web application test (single application): $5,000-$15,000
• • Web application test (large/complex application): $15,000-$40,000
• • Social engineering / phishing campaign: $3,000-$8,000
• • Cloud configuration review: $4,000-$12,000
• • Red team engagement: $25,000-$100,000+
• • Combined external + internal + web app (SOC 2 package): $15,000-$35,000

What drives price: IP count, application complexity, number of user roles to test, testing window requirements, report quality, tester experience level, vendor overhead.

Automated scan masquerading as a pen test: any "pen test" under $2,000 for a real network is almost certainly an automated scan with a pen test label. Automated scans are valuable but are not penetration tests. Know what you're buying.

OSCP (Offensive Security Certified Professional): hands-on, proctored, 24-hour practical exam. The gold standard for demonstrating real exploitation ability. Every pen test team should have OSCP-certified testers.

CEH (Certified Ethical Hacker): more theory than practice. Widely held, not a strong differentiator.

GPEN / GWAPT (GIAC Penetration Tester / Web Application Penetration Tester): rigorous, practice-oriented SANS certifications.

PNPT (Practical Network Penetration Tester): newer, practical, respected in the professional community.

CREST certification: UK-based, internationally recognized body that certifies both individual testers and testing companies. Strong signal of professional quality.

CVE credits: testers who have found and responsibly disclosed actual CVEs in real software are demonstrably skilled.