Penetration testing is a controlled attack on your own systems, carried out by professional security testers who use the same methods, tools and reasoning as real adversaries. The aim is to find exploitable weaknesses before a criminal does. Where a vulnerability scanner produces a list of potential issues, a penetration test produces proof: a tester found a weakness, chained it with another, and reached a system or data set that should have been unreachable.
The NCSC defines penetration testing as “a method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.” That last phrase matters. A pen tester does not just scan and report: they think like an attacker and follow the paths an attacker would actually take.
Table of Contents
How is penetration testing different from a vulnerability scan?
Many businesses conflate the two, and the confusion is understandable. A vulnerability scanner checks your systems against a database of known issues and flags what it finds. It is fast, cheap, and can run automatically. But it cannot tell you whether a given vulnerability is actually exploitable in your environment, what the realistic impact would be, or how a chain of smaller issues could add up to a serious breach.
Penetration testing goes further because a skilled tester applies judgement. They take the output of a scan, combine it with their own manual enumeration, and reason about whether vulnerabilities can be exploited together. A firewall misconfiguration that looks low-risk in isolation might, combined with a weak administrator password and an overprivileged service account, give an attacker a straight path to your most sensitive data. A scanner reports three separate medium-risk issues. A pen tester follows the path and shows you what the outcome would actually be.
What types of penetration tests are there?
The three most common approaches differ in how much information the tester starts with:
- Black-box testing. The tester begins with no knowledge of your environment and simulates an external attacker. Realistic, but time-constrained: a determined adversary spends weeks on reconnaissance while a penetration testing team typically has days.
- Grey-box testing. The tester has partial knowledge, such as user credentials or a basic network diagram. This is the most common choice because it balances realism with thorough coverage.
- White-box testing. Full access to documentation, source code and configuration. Most thorough; best for compliance assessments or detailed audits of a specific application or system.
Beyond these knowledge tiers, tests are also categorised by target. External and internal network tests, web application tests, wireless assessments, social engineering exercises, and red team engagements each address a different threat scenario. A red team exercise ties several together in a coordinated campaign. It tests whether your security team detects and responds to the attack, not just whether your technical controls hold up.
What happens during a penetration test?
Before any technical work begins, the tester and client agree scope, objectives and rules of engagement. This scoping conversation sets the boundaries: which systems are in scope, what is off limits, whether destructive techniques are allowed, and how findings will be communicated if a critical issue surfaces mid-test. Skipping this step properly is where penetration testing engagements go wrong.
The test then moves through several phases. First comes reconnaissance, where the tester builds situational awareness of the target environment. After that, active scanning identifies open services and potential entry points. Then exploitation begins: genuine vulnerabilities are tested to see whether they can be used to gain unauthorised access. Finally, post-exploitation work explores what a real attacker could reach from that position. Findings are documented with evidence throughout.
At the end, you receive a report. A good one contains an executive summary with overall risk ratings and key findings in plain language, a technical section documenting each finding with severity ratings, evidence and remediation guidance, and a prioritised roadmap that helps you decide what to fix first.
What does the report tell you?
Each finding in a professional penetration testing report carries a severity rating, typically running from Critical through to Informational. Critical and High findings represent vulnerabilities that a real attacker could exploit to cause significant harm: access to customer data, ransomware deployment, or lateral movement across your network. These need immediate attention.
Medium and Low findings are genuine vulnerabilities but can generally be addressed through normal patching and change management cycles. The finding descriptions matter too. A well-written technical finding explains which systems are affected, how the vulnerability was exploited during the test, what the business impact would be, and what specifically needs to change to close the gap. Vague findings like “weak password policy observed” without explaining what was accessed are a sign of a low-quality engagement.
Most professional providers also offer a retest once you have applied remediation. This confirms the fixes actually work and gives you a clean record to show auditors or insurers. Not every provider includes retesting as standard, so it is worth confirming this before you sign the engagement.
Who should carry out the test?
The two accreditations to look for in the UK are CREST and CHECK. CREST (the Council of Registered Ethical Security Testers) certifies both firms and the individual testers who carry out the work. Certification is based on technical assessment of the tester’s own skills, not just the company’s policies. This matters because the quality of a penetration testing engagement depends almost entirely on the capability of the person doing it.
CHECK is the NCSC’s scheme for UK government and public sector security testing. Only CHECK-certified testers are permitted to work on government systems. For private sector businesses of all sizes, CREST is the relevant standard.
When should you commission one?
Annual penetration testing is the widely accepted minimum for most organisations. Additional testing is warranted after significant changes: a new application going live, a major cloud migration, an infrastructure refresh, or after a security incident. Some compliance frameworks set specific requirements too. PCI DSS mandates annual tests for organisations processing card payments, and ISO 27001 expects ongoing evaluation of control effectiveness.
Preparation also helps you get more value from any engagement. Before the test starts, make sure you have a clear record of what is in scope, who the relevant technical contacts are, and any recent changes to your environment. The more context you give the testers, the more focused and useful the findings will be.
Cyber insurance is another driver. Underwriters are increasingly asking applicants to demonstrate regular, credible penetration testing. A report from a CREST-accredited provider carries considerably more weight than a self-assessment or an automated scan output.
A well-scoped penetration test gives you an honest picture of your actual security posture, not just your intended one. If you want to understand what an assessment would cover for your specific environment, Aardwolf Security works with UK businesses across infrastructure, web applications and red team engagements. Contact us to discuss scope and timing.
Subscribe to our newsletter
Honest updates, straight to your inbox. Unsubscribe any time.