Penetration Testing

Penetration testing — what it is, what it finds, and why your business cannot skip it | Xartrix
Post 1a: Managed SOC / Post 1b: SOC Costs / Post 2: Threat Intelligence / Post 3a: Penetration Testing / Post 3b: Testing Frequency
Penetration Testing · Executive Guide

Penetration testing — what it is, what it finds, and why your business cannot skip it

Every unpatched vulnerability is an unlocked door. Penetration testing sends a professional through those doors before a criminal does — and tells you exactly what they found, how far they got, and what it would cost you if they had been real.

By Xartrix Security Team 9 min read
60%
of breaches involve a vulnerability for which a patch was available but not applied
Ponemon Institute 2024
26,447
new CVEs published in 2024 — a record high, up 25% from 2023
NIST National Vulnerability Database
85%
of pen tests find at least one exploitable critical or high-severity vulnerability
Cobalt State of Pentesting 2024

The problem You do not know what an attacker sees when they look at your business

Your IT team has deployed firewalls, endpoint protection, and multi-factor authentication. Your annual security audit passed. From the inside, everything looks secure. But here is the uncomfortable question: have you ever hired someone to actually try to break in?

That is what penetration testing does. A penetration test — commonly called a pen test — is a controlled, authorised simulation of a real cyberattack against your systems, applications, and people. Unlike a vulnerability scan, which simply lists known weaknesses, a pen test proves whether those weaknesses can actually be exploited — and shows exactly what an attacker could do once inside.

The distinction matters enormously. A vulnerability scanner might report 200 findings. A pen tester will tell you which five of those 200 actually let someone walk through your front door, access your financial systems, and exfiltrate your customer database — all within three hours.

Why this matters to you as a leader: When 60% of all breaches exploit known, unpatched vulnerabilities, the question is not whether your systems have weaknesses — they do. The question is whether you know about them before an attacker does.
Visual 1 of 4 · Your attack surface — what pen testers examine
Attack Surface Map — What a Pen Test Covers Each area represents a potential entry point attackers exploit YOUR BUSINESS EXTERNAL NETWORK Public-facing servers VPN gateways DNS & mail servers Cloud infrastructure WEB APPLICATIONS Customer portals APIs & microservices Authentication flows Payment processing PEOPLE & SOCIAL ENG. Phishing simulations Pretexting calls Physical tailgating USB drop tests INTERNAL NETWORK Active Directory Lateral movement paths Privilege escalation Database access 73% find network flaws 81% find web app flaws 67% of phishing tests succeed 92% escalate privileges
The Attack Surface Map — a comprehensive pen test evaluates every pathway an attacker could use to enter and move through your environment. Source data: Cobalt, HackerOne, Verizon DBIR 2024.

How it works The pen testing process — in plain English

Penetration testing follows a structured methodology, typically based on the Penetration Testing Execution Standard (PTES) or the OWASP Testing Guide for web applications. Here is what actually happens during a professional pen test:

Phase 1: Scoping and rules of engagement

Before any testing begins, the pen test team and your business agree on what will be tested, what is off-limits, and what level of access the testers start with. A black-box test gives testers no inside knowledge — they attack as an outsider would. A white-box test provides full documentation, source code, and credentials. A grey-box test sits between the two, simulating an attacker who has gained some initial access, such as a compromised employee account.

Phase 2: Reconnaissance and discovery

Testers map your attack surface — identifying open ports, running services, software versions, DNS records, exposed employee email addresses, and publicly available information about your company. This is what a real attacker does first, and most businesses are surprised by how much is publicly visible.

Phase 3: Exploitation

Using the information gathered, testers attempt to exploit vulnerabilities to gain access. This includes attempting to bypass authentication, injecting malicious code into web applications, exploiting unpatched software, cracking weak passwords, and chaining multiple low-severity issues together to achieve high-impact access.

Phase 4: Post-exploitation and lateral movement

Once inside, testers attempt to escalate privileges, move laterally through the network, access sensitive data, and establish persistence — exactly as a real attacker would. This phase reveals the true business impact: could an attacker reach your financial systems? Customer database? Intellectual property?

Phase 5: Reporting and remediation

The final deliverable is a detailed report with every finding classified by severity, proof of exploitation, business impact assessment, and specific remediation guidance. A quality pen test report is written for two audiences: technical teams who need to fix the issues, and executives who need to understand the business risk.

Visual 2 of 4 · The pen testing methodology — five phases from scoping to fix
Penetration Testing Methodology (PTES) 1. SCOPING Define targets Set rules of engagement Choose test type Black / Grey / White box 2. RECON Map attack surface Identify services OSINT gathering Nmap, Shodan, OSINT 3. EXPLOIT Attempt access Chain vulnerabilities Bypass controls Proof of exploitation 4. POST-EXPLOIT Escalate privileges Lateral movement Access sensitive data Business impact proof 5. REPORT Findings by severity Remediation steps Executive summary Risk-ranked action plan TYPICAL TIMELINE 1–2 days 2–3 days 3–7 days (core testing) 2–3 days 3–5 days reporting Total engagement: 2–4 weeks for a mid-market organisation Source: PTES (Penetration Testing Execution Standard) · OWASP Testing Guide v4
A professional penetration test follows a structured five-phase methodology. The most valuable phase for executives is the report — it translates technical findings into business risk.
AI
How Xartrix AI accelerates pen test response
When a pen test report identifies vulnerabilities, Xartrix’s autonomous AI agents can ingest the findings and immediately update detection rules, create new SOAR playbooks, and adjust monitoring thresholds — reducing the remediation window from weeks to hours. The AI cross-references pen test findings against your live environment to prioritise fixes by actual exploitability, not just CVSS score.

What they find The most common vulnerabilities — and what they mean for your business

After testing thousands of organisations, the pen testing industry has a remarkably consistent picture of what gets found. These are not exotic zero-day exploits — they are ordinary, preventable weaknesses that exist in most businesses right now.

Visual 3 of 4 · What pen testers actually find — top vulnerability categories
Most Common Pen Test Findings by Category Percentage of engagements where finding appears · Sources: Cobalt, Positive Technologies, HackerOne 2024 Weak or default credentials 88% Missing security patches 82% Broken access control 77% Security misconfiguration 74% Injection flaws (SQL, XSS, LDAP) 61% Sensitive data exposure 57% Privilege escalation paths 52% Successful phishing (social eng.) 47% 85% of pen tests find at least one critical or high-severity vulnerability — Cobalt State of Pentesting 2024
The most common findings are not sophisticated attacks — they are weak passwords, missing patches, and misconfigured access controls. These are preventable with proper testing and remediation.

The pattern is clear. The top three findings — weak credentials, missing patches, and broken access control — are not exotic or expensive to fix. They are basic security hygiene failures that persist because nobody tested them from the attacker’s perspective.

What makes these findings dangerous is how they chain together. A pen tester might find a default password on a test server, use it to access the internal network, escalate to domain admin through a misconfigured Active Directory policy, and exfiltrate your entire customer database — all from a single starting point that would have been rated “medium severity” in a vulnerability scan.

Types of testing Which pen test does your business need?

Not all pen tests are the same. The right type depends on your environment, your compliance requirements, and what you are trying to protect. Here are the five core types every business leader should understand:

Pen test types — comparison matrix
Test Type What It Tests Who Needs It Frequency
External network Internet-facing servers, firewalls, VPNs, cloud infrastructure Every business Annually + after changes
Internal network Lateral movement, AD, privilege escalation, segmentation Businesses with on-prem or hybrid networks Annually
Web application OWASP Top 10: injection, auth flaws, XSS, CSRF, API security Any business with customer-facing web apps Annually + per release cycle
Social engineering Phishing, vishing, pretexting, physical access attempts Businesses with >50 employees Semi-annually
Red team Full-scope adversary simulation across all attack vectors Mature security programmes testing holistic defence Annually
For most mid-market businesses, the minimum recommendation is an annual external network test and web application test, combined with semi-annual phishing simulations. If you handle sensitive data (financial, health, personal), add internal network testing. If you want to test your SOC and incident response, add a red team engagement.

The business case What does pen testing actually save your business?

Penetration testing is not a cost centre — it is a risk reduction investment. Here is the financial arithmetic that makes the case for regular testing:

Visual 4 of 4 · Pen testing ROI — cost of testing vs. cost of not testing
Pen Testing Investment vs. Breach Cost ANNUAL PEN TEST INVESTMENT External network test $8K–$20K Web application test $10K–$30K Internal network test $10K–$25K Social engineering $5K–$15K Total annual investment $33K–$90K Finds vulnerabilities before attackers Satisfies compliance requirements COST OF A SINGLE BREACH Average breach cost (global) $4.88M Lost business revenue $1.47M avg Regulatory fines (PIPEDA/CPPA) Up to $25M Average operational downtime 23 days Total damage per incident $4.88M+ Brand damage may be permanent Client attrition follows 65% of breaches ROI: $33K–$90K prevents $4.88M+ in breach costs
Annual pen testing costs represent less than 2% of average breach costs. Organisations that test regularly reduce breach probability by 50% — IBM Cost of a Data Breach 2024.

The numbers are stark. An annual pen testing programme costs between $33,000 and $90,000 for a mid-market business. A single breach costs $4.88 million on average. That represents a potential return of 54× to 148× on every dollar invested in testing.

AI
Xartrix: continuous testing + continuous monitoring
Traditional pen testing gives you a snapshot — one moment in time. Xartrix combines annual pen testing with continuous vulnerability monitoring powered by 12 autonomous AI agents. New vulnerabilities are detected, triaged, and escalated in real time, closing the gap between annual tests. Your attack surface is monitored 24/7, 365 days a year, with <15-second mean triage time for every alert.

Compliance Pen testing is not optional — it is required

For many businesses, penetration testing is not merely a best practice — it is a regulatory and contractual obligation. The following frameworks explicitly require or strongly recommend regular penetration testing:

PCI DSS
Required annually and after significant infrastructure changes. Non-compliance can result in fines up to $100,000/month.
ISO 27001
Annex A.12.6 requires technical vulnerability management. Pen testing is the primary evidence of compliance.
SOC 2
Trust Services Criteria CC7.1 requires vulnerability management. Pen tests are a core audit evidence item.
PIPEDA / CPPA
Canadian privacy legislation requires “appropriate security safeguards.” Pen testing demonstrates due diligence.

Beyond compliance, many enterprise customers now require pen test reports as a condition of doing business. If your company sells to larger organisations, not having a current pen test report can disqualify you from contracts worth far more than the cost of testing.

For the boardroom Five questions every director should ask about penetration testing

If you are a CEO, CFO, or board member, these are the questions that reveal whether your business is actually testing its defences or just assuming they work:

Question 1
When was the last time someone actually tried to hack into our systems — with our permission? If the answer is “never” or “more than a year ago,” you are relying on assumptions rather than evidence.
Question 2
How many critical or high-severity vulnerabilities were found in our last pen test, and how many have been fixed? The pen test itself is not the value — the remediation is. A report sitting unactioned is worse than no report at all.
Question 3
Do we test our web applications every time we release new code? A web application pen test is valid only until the next deployment. If your team ships code monthly but tests annually, you have 11 months of untested code in production.
Question 4
Have we ever tested our people with a realistic phishing simulation? Technical controls are only half the picture. If 47% of social engineering tests succeed industry-wide, your employees are a significant attack vector.
Question 5
Can our security team detect a pen test in progress — or does the tester have to tell them? This question tests whether your monitoring and SOC are actually working. If the pen tester operates undetected for days, so could a real attacker.

How secure is your business — really?

Xartrix offers comprehensive penetration testing backed by continuous AI-driven monitoring. Find the vulnerabilities before attackers do — and keep watching 24/7 after the test is complete.

Book a Free Security Assessment See Pricing

Continue reading

Previous · Threat Intelligence
Cyber threat intelligence — what your business doesn’t know is already being sold
Series start · Managed SOC
What is a Managed SOC — and why does your business need one?
Scroll to Top