Executive Summary
Penetration testing is one of the most effective tools available for assessing real-world security posture β but only when it is scoped correctly, executed by qualified professionals, and followed by meaningful remediation. This handbook is written for security leaders, IT managers, and procurement teams who are commissioning a penetration test or building a recurring testing programme.
This guide covers the full lifecycle: what penetration testing is (and what it is not), how to scope an engagement, what the testing process involves, how to read and act on a penetration test report, and how to evaluate providers.
Chapter 1: What Is Penetration Testing?
Penetration testing (pentest) is a simulated cyberattack performed by authorised security professionals to identify exploitable vulnerabilities in systems, applications, networks, or people before malicious actors find them.
Unlike a vulnerability scan β which identifies potential weaknesses using automated tools β a penetration test involves human expertise to chain vulnerabilities together, bypass security controls, and demonstrate actual business impact.
The Core Question a Pentest Answers
βIf an attacker with this level of access and skill targeted us, what could they achieve?β
The answer depends on the engagement type, scope, and attacker scenario.
What Penetration Testing Is Not
- Not a vulnerability scan. Automated scanners produce false positives and cannot demonstrate exploitability. A pentest confirms whether vulnerabilities are actually exploitable in your environment.
- Not a one-time checkbox. A pentest represents a point-in-time assessment. As your environment changes, new vulnerabilities emerge. Annual testing is a minimum; quarterly or continuous testing is increasingly standard.
- Not a guarantee of security. A clean pentest report means the testers did not find exploitable issues within the defined scope and timeframe β not that none exist.
Chapter 2: Types of Penetration Tests
By Knowledge Level
| Type | Tester Knowledge | Simulates |
|---|---|---|
| Black Box | None β public information only | External attacker with no insider access |
| Grey Box | Partial β credentials, architecture docs | Compromised user, insider threat |
| White Box | Full β source code, configs, credentials | Thorough audit, compliance-driven |
CyberneticsPlus recommendation: Grey box testing offers the best balance of realism and efficiency for most organisations. Black box testing is realistic but risks missing critical vulnerabilities if the tester cannot progress past the perimeter. White box is ideal for application security reviews and source code audits.
By Target
Network Penetration Testing
- External: Attacks originating from the internet targeting your perimeter
- Internal: Attacks simulating a compromised endpoint or insider threat inside your network
Web Application Penetration Testing Tests web applications against OWASP Top 10, business logic flaws, authentication weaknesses, and API security issues.
Mobile Application Penetration Testing Tests iOS and Android applications: data storage, API communication, authentication, binary analysis, and platform-specific vulnerabilities.
Cloud Penetration Testing Assesses cloud environments (AWS, Azure, GCP) for misconfigurations, identity and access management weaknesses, exposed storage, and privilege escalation paths.
Social Engineering Phishing campaigns, vishing (voice phishing), and physical penetration testing to assess human and physical security controls.
Red Team Exercises Full-scope adversary simulation exercises targeting specific objectives (e.g., βaccess patient records,β βachieve wire transfer fraudβ) using blended attack techniques over weeks or months. Red teaming tests the entire security programme β not just technical controls.
Chapter 3: Scoping Your Engagement
Scope definition is the most important step. A poorly scoped engagement wastes budget and misses critical risks.
Defining What Is In Scope
Be explicit about:
- IP ranges and hostnames: All production IP addresses, staging environments, specific domains
- Applications: Named applications, URLs, API endpoints
- Testing techniques: Whether social engineering, denial-of-service testing, or physical access is permitted
- Time window: Business hours only, or 24/7 (realistic attacks donβt observe business hours)
- Geographic locations: Relevant for multi-site organisations
Defining What Is Out of Scope
Explicitly exclude:
- Third-party systems you do not own (SaaS platforms, payment processors)
- Systems that cannot tolerate disruption (life-safety systems, production databases if fragile)
- Specific IP ranges belonging to shared hosting providers
Rules of Engagement
A Rules of Engagement (RoE) document governs the testing:
- Authorisation chain: Who has signed off on testing authority
- Emergency contacts: Who to call if the tester discovers a critical live vulnerability or causes unintended disruption
- Pause/stop conditions: Criteria under which testing must halt (e.g., tester discovers evidence of a real ongoing breach)
- Data handling: What data the tester can access and how it must be handled
- Disclosure: How findings are communicated and to whom
Chapter 4: The Penetration Testing Methodology
Professional penetration testers follow a structured methodology. The industry-standard framework is PTES (Penetration Testing Execution Standard), supplemented by OWASP for web application testing.
Phase 1: Reconnaissance
Passive reconnaissance β information gathering without touching target systems:
- WHOIS records, DNS enumeration (subdomains, MX records, SPF/DMARC records)
- Certificate Transparency logs (crt.sh) β reveals all SSL certificates issued for a domain, often exposing internal hostnames
- Shodan/Censys β internet-wide scanning to find your exposed services
- LinkedIn, job postings, GitHub β employee names, technology stack, exposed credentials
- Google dorking β targeted search operators to find exposed files, login panels, error messages
Active reconnaissance β directly probing target systems:
- Port scanning (Nmap) β open ports, services, operating system fingerprinting
- Service enumeration β identifying versions of exposed services
- Web application crawling β spidering to discover endpoints, parameters, and functionality
Phase 2: Vulnerability Analysis
Mapping discovered services and applications to known vulnerabilities:
- CVE databases, NVD, vendor advisories
- Automated scanning (Nessus, OpenVAS, Burp Suite) to identify potential issues
- Manual review of configuration files, application behaviour, and authentication mechanisms
Phase 3: Exploitation
Attempting to exploit identified vulnerabilities to confirm they are exploitable in the target environment:
- Network: EternalBlue, Zerologon, exploiting unpatched services, credential spraying
- Web application: SQL injection, Cross-Site Scripting (XSS), authentication bypass, IDOR, SSRF
- Cloud: IAM privilege escalation, metadata service exploitation, misconfigured storage buckets
- Credentials: Password spraying against exposed authentication portals (OWA, VPN, RDP), credential stuffing using leaked credential lists
The key principle: testers attempt exploitation methodically, starting with the highest-impact vulnerabilities, documenting every step for reproducibility.
Phase 4: Post-Exploitation
Once initial access is achieved, testers assess what an attacker could do next:
- Privilege escalation: Moving from low-privilege user to administrator/root
- Lateral movement: Pivoting from one compromised system to others on the network
- Persistence: Installing backdoors to maintain access (with client permission β tested in red team exercises)
- Data access: Identifying and accessing sensitive data (demonstrating impact without exfiltrating real data)
- Domain compromise: In Active Directory environments, attempting to compromise domain controllers and achieve full domain control
Phase 5: Reporting
The deliverable that determines whether the engagement creates value.
Chapter 5: Reading a Penetration Test Report
A professional penetration test report contains:
Executive Summary
Written for non-technical readers (board, senior management). Should cover:
- Overall risk rating
- Number and severity of findings
- Key risks in business terms (not technical jargon)
- Recommended actions and priorities
Technical Findings
Each finding should include:
| Field | Description |
|---|---|
| Title | Clear name of the vulnerability |
| Severity | Critical / High / Medium / Low / Informational |
| CVSS Score | Numeric severity score (0β10) |
| Description | What the vulnerability is |
| Evidence | Screenshots, request/response, proof-of-concept output |
| Impact | What an attacker could achieve if exploited |
| Remediation | Specific steps to fix the issue |
| References | CVE numbers, vendor advisories, OWASP references |
Severity Ratings
| Rating | CVSS Range | Meaning |
|---|---|---|
| Critical | 9.0β10.0 | Direct path to full compromise or major data breach |
| High | 7.0β8.9 | Significant risk; exploitable with moderate effort |
| Medium | 4.0β6.9 | Risk exists; requires specific conditions to exploit |
| Low | 0.1β3.9 | Minor risk; defence in depth improvement |
| Informational | N/A | Observation; no direct risk, but worth noting |
Remediation Prioritisation
Use risk-based prioritisation β not just CVSS scores:
- Critical findings on internet-facing systems: Remediate within 24β72 hours
- Critical findings on internal systems: Remediate within 7 days
- High findings: Remediate within 30 days
- Medium findings: Remediate within 90 days
- Low/Informational: Address in next patch cycle
Chapter 6: After the Penetration Test
Remediation
The report is only the beginning. The value of a penetration test is realised through remediation.
Assign each finding:
- Owner: Specific person responsible for fixing it
- Timeline: Based on severity
- Verification method: How will you confirm it is fixed?
Retest
Request a retest after remediation. A retest confirms that:
- The specific vulnerability was fixed correctly
- The fix did not introduce new vulnerabilities
- The remediation evidence can be used for compliance documentation
CyberneticsPlus includes one retest cycle for all Critical and High findings as part of every engagement.
Building a Testing Programme
A single pentest provides a point-in-time snapshot. A programme provides continuous assurance:
| Frequency | Suitable For |
|---|---|
| Annual | Minimum baseline; compliance-driven organisations |
| Semi-annual | Organisations with active development; SaaS platforms |
| Quarterly | High-value targets; regulated industries (finance, healthcare) |
| Continuous | Red team retainer; critical infrastructure |
Chapter 7: Compliance and Penetration Testing
Many regulatory frameworks mandate penetration testing:
| Framework | Requirement |
|---|---|
| PCI DSS v4.0 | Annual external/internal pentest; requirement 11.4 |
| ISO 27001:2022 | Annex A.8.8 β technical vulnerability management |
| SOC 2 | CC4.1 β logical and physical access controls testing |
| HIPAA | Required under the Security Ruleβs technical safeguard evaluation |
| RBI (India) | Banks and NBFCs: annual VAPT under cybersecurity framework |
| SEBI (India) | Periodic security audits for market infrastructure institutions |
Chapter 8: Choosing a Penetration Testing Provider
Qualifications to Look For
Team certifications:
- OSCP (Offensive Security Certified Professional) β foundational credential
- CRTP, CRTE, CRTO β Active Directory and red team certifications
- BSCP (Burp Suite Certified Practitioner) β web application testing
- LPT (Licensed Penetration Tester) β advanced EC-Council certification
- CEH β broad ethical hacking certification
Organisational credentials:
- CREST membership (UK/global standard for pentest organisations)
- CERT-In empanelment (mandatory for testing Indian government and regulated organisations)
- ISO 27001 certified delivery process
Red Flags
- No written scoping documentation or Rules of Engagement
- Report is primarily automated scanner output without manual testing evidence
- No retest included or available
- Testers cannot explain findings in business terms
- No methodology documentation
- Unusually low pricing (thoroughness takes time; shortcuts show in the report)
Questions to Ask
- What methodology do you follow?
- What are your testersβ certifications and experience level?
- Will the same tester who performs the test write the report?
- Does the report include proof-of-concept evidence for each finding?
- Is retest included, and what does it cover?
- How do you handle critical findings discovered mid-engagement?
- What is your data handling and confidentiality policy?
Chapter 9: Penetration Testing Cost Factors
Penetration test pricing varies based on:
| Factor | Impact on Cost |
|---|---|
| Scope size | More targets = more time = higher cost |
| Test type | Red team > web app > network > scan |
| Methodology depth | Manual vs semi-automated |
| Engagement duration | Days vs weeks |
| Report quality | Executive + technical vs technical only |
| Retest included? | Adds 20β40% to base cost |
| Compliance documentation | Additional deliverables |
Indicative ranges (India market):
- Web application pentest (single application): βΉ80,000ββΉ2,50,000
- Network pentest (external, <50 IPs): βΉ1,00,000ββΉ3,00,000
- Full-scope red team exercise: βΉ5,00,000ββΉ20,00,000+
Global ranges:
- Web application pentest: $3,000β$15,000
- Full red team engagement: $20,000β$100,000+
Conclusion
Penetration testing, when properly scoped and executed, is one of the most effective investments in your security programme. It validates your defences against real-world attack techniques, provides evidence for compliance, and gives your security team actionable intelligence.
The value is in the remediation. A pentest report that sits unread provides zero security improvement. Organisations that integrate penetration testing into their development lifecycle, remediation workflows, and board-level security reporting get the most return from their investment.
CyberneticsPlus provides expert penetration testing for web applications, networks, cloud environments, and mobile applications across India, the UK, Australia, and Southeast Asia. Our CERT-In empanelled team delivers PTES and OWASP-aligned testing with professional reporting and included retest for Critical and High findings.
Ready to get started? Contact CyberneticsPlus to discuss your penetration testing requirements.