A penetration test — or pen test, for short — is a simulation of a possible cyberattack against an IT system performed by a professional with no malicious intent. The main purpose of such tests is to find exploitable vulnerabilities before anybody else does so that they can be patched and addressed accordingly.

A pen test should end with the presentation of a formal document explaining and detailing all the findings. This document should contain at least two main sections: an executive summary where the tester or testers explain the process and findings in a high-level manner, and a technical summary where the more in-depth details can be explained.

Pros and Cons of Penetration Testing

Nowadays, companies of all sizes have a network presence, and the internet has made it easy for attackers to engage with companies around the world. A cyberattack can damage a company in many ways, not just economically. An organization’s brand, reputation and even intellectual property could be affected.

Listen to the podcast: Spotlight on Penetration Testing with Space Rogue

A penetration test can help an enterprise build a more robust and reliable security posture. With that said, not all companies should engage in a pen test, since they aren’t always particularly beneficial. Because of this, it’s important to evaluate whether or not a pen test will have value for your company.

Potential benefits of a pen test include:

  • Identifying possible security holes before an attacker can;
  • Identifying possible vulnerabilities in a network or computer program; and
  • Providing information that can help security teams mitigate vulnerabilities and create a control mechanism for attacks.

Some of the potential drawbacks are:

  • Outages to critical services if the pen test is poorly designed or executed, which can end up causing more damage to the company in general; and
  • Difficulty conducting pen tests on legacy systems, which are often vital to businesses.

When Should You Pen Test?

Some companies make the mistake of starting a pen test too early on a network or system deployment. When a system or network is being deployed, changes are constantly occurring, and if a pen test is undertaken too early in that process, it might not be able to catch possible future security holes. In general, a pen test should be done right before a system is put into production, once the system is no longer in a state of constant change.

It is ideal to test any system or software before is put into production. Most companies do not adhere to this recommendation because they are eager to get their return on investment (ROI) quickly. Companies might also fail to follow this best practice because a project has exceeded its deadline or budget. These factors make companies enthusiastic to push their new services live without having conducted the proper security assessments. This is a risk that needs to be evaluated and put in perspective when deploying new systems.

How Often Should You Pen Test?

A pen test is not a one-time task. Networks and computer systems are dynamic — they do not stay the same for very long. As time goes on, new software is deployed and changes are made, and they need to be tested or retested.

How often a company should engage in pen testing depends on several factors, including:

  • Company size. It’s no secret that bigger companies with a greater online presence might also have more urgency to test their systems, since they would have more attack vectors and might be juicier targets for threat actors.
  • Budget. Pen tests can be expensive, so an organization with a smaller budget might be less able to conduct them. A lack of funds might restrict pen testing to once every two years, for example, while a bigger budget might allow for more frequent and thorough testing.
  • Regulations, laws and compliance. Depending on the industry, various laws and regulations might require organizations to perform certain security tasks, including pen testing.
  • Infrastructure: Certain companies might have a 100 percent cloud environment and might not be allowed to test the cloud provider’s infrastructure. The provider may already conduct pen tests internally.

Pen testing should not be taken lightly; it has the potential to provide a critical security service to all companies. For some organizations, it might even be mandatory. But a pen test is not one-size-fits-all. Ultimately, understanding the company’s line of business is fundamental to successful security testing.

Read the interactive white paper: Preempt attacks with programmatic and active testing

More from Security Services

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website GTAForums.com. Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

Log4j Forever Changed What (Some) Cyber Pros Think About OSS

In late 2021, the Apache Software Foundation disclosed a vulnerability that set off a panic across the global tech industry. The bug, known as Log4Shell, was found in the ubiquitous open-source logging library Log4j, and it exposed a huge swath of applications and services. Nearly anything from popular consumer and enterprise platforms to critical infrastructure and IoT devices was exposed. Over 35,000 Java packages were impacted by Log4j vulnerabilities. That’s over 8% of the Maven Central repository, the world’s largest…