What Is Penetration Testing? Which Method Is Best For Your Company?

  • Contributors:
  • Brad Atkin
Three IT professionals conducting penetration test

Cybersecurity budgets continue to grow, but this has done little to stem the tide of financially and ideologically motivated attackers. Research conducted by the Ponemon Institute found the average cost of a data breach was $4.24 million in 2021. The longer the lifecycle of the breach, the more it costs your organization.

What’s more alarming? Research shows attackers are moving away from solely targeting big companies. The attack rates for small and medium businesses have grown to almost 50% of breaches. If awareness and spending are at an all-time high, why are there so many breaches?

Insufficient testing

Cyberattacks continue to be successful because IT systems and their security are insufficiently tested. Many organizations rely on automated vulnerability scanning tools to probe their network and find security weaknesses. While these tools are an essential part of an IT security program, they give an incomplete picture of what an attacker could accomplish. These scans are often marketed and sold as a complete penetration test — which is misleading.


What’s penetration testing?

A true penetration test – or ethical hacking – is a service performed by an information security specialist. The specialist uses the tools and mindset of an attacker to give a realistic assessment of your vulnerability to cyberattacks.

Instead of relying on automated tools, a skilled penetration tester will rely on rigorous manual testing to identify security vulnerabilities and exploit them. This process continues until the specialist accomplishes a predetermined goal, usually the compromise of sensitive systems or data.

Testing of this nature will help your organization:

  • Identify vulnerabilities in the perimeter systems that protect your network
  • Verify change management processes are keeping pace with security
  • Check system configuration
  • Validate the actions of third-party IT managed-service providers


Pick your approach: external or internal

When you choose to move forward with a penetration test, consider the scope of the test. Will you require the tester to attack your systems over the internet? Or, will you allow them inside your facilities to connect directly to your organization’s internal network?


External penetration testing

If the tester attacks your systems over the internet, it’s an external penetration test. This is the cheapest option; however, it doesn’t always leave enough time to perform a thorough test. The service provider conducts testing from their office and relies on launching cyberattacks over the internet. However, just because a single test can’t compromise your network from across the internet doesn’t mean it will never be possible to do so.

External penetration tests usually focus the most effort on your network perimeter – the firewalls and servers that sit between your organization and the internet. While these devices are designed to be secure, malicious hackers find ways to bypass the perimeter and access your internal network. Tactics include email-based attacks like phishing and quickly uncovering new vulnerabilities.


Internal penetration testing

If you prefer to bring the tester inside your facilities, they’ll conduct an internal penetration test. This approach emphasizes the security of your network perimeter and your ability to detect and deter attackers who have already breached it.

Internal penetration testing, which allows the tester to visit your office building and plug directly into your network, is the best way to test your ability to practice defense in-depth. The specialist can spend less time trying to bypass your firewall and more time exploiting vulnerabilities in your internal network and testing your ability to detect and respond to their simulated attack.


How to choose the right provider

Both internal and external penetration testing will give you the most thorough assessment of what a malicious hacker could accomplish. Consider the following when choosing a penetration test provider:

  • Flexibility: A provider should work with you to create an approach and scope that reflects the risk appetite and security needs of your organization. They shouldn’t push you toward the fastest or costliest option.
  • Social engineering: People are an essential part of every company’s security. A penetration test can exploit their good nature to gain access to sensitive areas or computer systems. Consider adding phone and email-based social engineering to the scope of your test.
  • Experience: A penetration test is a complex undertaking. Providers should have proper experience and training, including experience testing organizations in your industry.
  • Tools: A penetration tester should rely on more than just automated scanning software. Ask your provider about what kinds of manual testing they can perform and what tools they’ll use.


With a team of cybersecurity advisors and a scalable CYBERCLAW® solution, we can help your organization meet its cybersecurity goals by performing penetration testing and providing actionable recommendations.


Have questions about penetration testing and its benefits? Let’s talk!