Glossary
What Is Penetration Testing?
Penetration testing (pentesting) is a controlled security assessment in which a tester - human or AI-driven - simulates real-world attacks against a system to identify exploitable vulnerabilities before malicious actors do.
How Penetration Testing Works
A penetration test follows a structured methodology, typically covering five phases:
1. Reconnaissance
Mapping the attack surface - discovering endpoints, technologies, and potential entry points.
2. Vulnerability Identification
Analysing the target for weaknesses - misconfigurations, outdated software, insecure code patterns.
3. Exploitation
Attempting to exploit identified vulnerabilities to prove real-world impact - this is what separates pentesting from vulnerability scanning.
4. Post-Exploitation
Determining how far an attacker could go - lateral movement, privilege escalation, data access.
5. Reporting
Documenting every finding with evidence, severity ratings (CVSS scores), business impact, and remediation guidance.
Types of Penetration Testing
Black-Box
No prior knowledge. Simulates an external attacker discovering the target from scratch.
Grey-Box
Partial knowledge (e.g. user credentials). Simulates an insider threat or compromised account.
White-Box
Full access to source code and architecture. Deep analysis for high-value systems.
Pentesting vs. Vulnerability Scanning
| Penetration Testing | Vulnerability Scanning | |
|---|---|---|
| Approach | Real exploitation attempts | Signature matching |
| False positives | Low (verified by exploitation) | High |
| Depth | Chained attacks, business logic | Known CVEs only |
| Compliance | Meets DORA, PCI DSS, ISO 27001 | Complementary only |
| Cost (traditional) | €10,000-50,000 | €500-5,000/year |
When Do You Need a Penetration Test?
Regular pentesting is essential in several situations: before or during compliance audits (DORA, ISO 27001, PCI DSS, SOC 2), after significant application or infrastructure changes, before launching a new product or service, after a security incident to assess residual risk, and as part of ongoing security validation for customer trust.
For European SMEs subject to DORA, NIS2, or GDPR, annual pentesting is increasingly a baseline expectation from regulators, auditors, and enterprise customers.
Frequently Asked Questions
What is the difference between penetration testing and vulnerability scanning?
Vulnerability scanning automatically identifies known weaknesses by matching system configurations against a database of known vulnerabilities. It reports potential issues but does not verify them. Penetration testing goes further by attempting real exploitation - proving which vulnerabilities are actually exploitable and demonstrating real-world impact. Pentesting finds complex, chained attack paths that scanners miss.
How often should you do a penetration test?
At minimum, annually - and after any significant infrastructure or application change. Many compliance frameworks require at least annual testing. With autonomous pentesting platforms that deliver results in 24 hours, quarterly or even monthly testing is becoming feasible for organisations with fast development cycles.
How much does a penetration test cost?
Traditional manual pentesting typically costs €10,000-50,000 per engagement with a 3-6 week timeline. Autonomous platforms like SQUR deliver comparable results starting at €1,995 with a 24-hour turnaround. See our pentesting cost breakdown for a detailed comparison.
What are the types of penetration testing?
By knowledge level: black-box (no prior knowledge), grey-box (partial knowledge), and white-box (full access). By target: web application, network, API, mobile, cloud, and social engineering pentesting. The right approach depends on your risk profile and compliance requirements.
Is penetration testing required for compliance?
Yes, for many frameworks. DORA Article 24 mandates annual pentesting for EU financial entities. PCI DSS Requirement 11.3 requires annual pentesting. ISO 27001, SOC 2, and GDPR Article 32 all reference regular security testing. NIS2 requires risk-based measures which increasingly include pentesting.