A penetration test — or pen test, for short — is a simulation of a possible cyberattack against an IT system performed by a professional with no malicious intent. The main purpose of such tests is to find exploitable vulnerabilities before anybody else does so that they can be patched and addressed accordingly.

A pen test should end with the presentation of a formal document explaining and detailing all the findings. This document should contain at least two main sections: an executive summary where the tester or testers explain the process and findings in a high-level manner, and a technical summary where the more in-depth details can be explained.

Pros and Cons of Penetration Testing

Nowadays, companies of all sizes have a network presence, and the internet has made it easy for attackers to engage with companies around the world. A cyberattack can damage a company in many ways, not just economically. An organization’s brand, reputation and even intellectual property could be affected.

Listen to the podcast: Spotlight on Penetration Testing with Space Rogue

A penetration test can help an enterprise build a more robust and reliable security posture. With that said, not all companies should engage in a pen test, since they aren’t always particularly beneficial. Because of this, it’s important to evaluate whether or not a pen test will have value for your company.

Potential benefits of a pen test include:

  • Identifying possible security holes before an attacker can;
  • Identifying possible vulnerabilities in a network or computer program; and
  • Providing information that can help security teams mitigate vulnerabilities and create a control mechanism for attacks.

Some of the potential drawbacks are:

  • Outages to critical services if the pen test is poorly designed or executed, which can end up causing more damage to the company in general; and
  • Difficulty conducting pen tests on legacy systems, which are often vital to businesses.

When Should You Pen Test?

Some companies make the mistake of starting a pen test too early on a network or system deployment. When a system or network is being deployed, changes are constantly occurring, and if a pen test is undertaken too early in that process, it might not be able to catch possible future security holes. In general, a pen test should be done right before a system is put into production, once the system is no longer in a state of constant change.

It is ideal to test any system or software before is put into production. Most companies do not adhere to this recommendation because they are eager to get their return on investment (ROI) quickly. Companies might also fail to follow this best practice because a project has exceeded its deadline or budget. These factors make companies enthusiastic to push their new services live without having conducted the proper security assessments. This is a risk that needs to be evaluated and put in perspective when deploying new systems.

How Often Should You Pen Test?

A pen test is not a one-time task. Networks and computer systems are dynamic — they do not stay the same for very long. As time goes on, new software is deployed and changes are made, and they need to be tested or retested.

How often a company should engage in pen testing depends on several factors, including:

  • Company size. It’s no secret that bigger companies with a greater online presence might also have more urgency to test their systems, since they would have more attack vectors and might be juicier targets for threat actors.
  • Budget. Pen tests can be expensive, so an organization with a smaller budget might be less able to conduct them. A lack of funds might restrict pen testing to once every two years, for example, while a bigger budget might allow for more frequent and thorough testing.
  • Regulations, laws and compliance. Depending on the industry, various laws and regulations might require organizations to perform certain security tasks, including pen testing.
  • Infrastructure: Certain companies might have a 100 percent cloud environment and might not be allowed to test the cloud provider’s infrastructure. The provider may already conduct pen tests internally.

Pen testing should not be taken lightly; it has the potential to provide a critical security service to all companies. For some organizations, it might even be mandatory. But a pen test is not one-size-fits-all. Ultimately, understanding the company’s line of business is fundamental to successful security testing.

Read the interactive white paper: Preempt attacks with programmatic and active testing

More from Security Services

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today