What is penetration testing?
Penetration testing (pen testing) is an authorised, simulated cyberattack on a system performed by a security professional to identify vulnerabilities that could be exploited by a real attacker. Unlike a security audit (which reviews code, configuration, and documentation), a pen test actively probes the running system: the tester attempts to bypass authentication, inject malicious data, escalate privileges, and access data they should not be able to access. The penetration tester documents every successfully exploited vulnerability with a proof-of-concept a specific set of steps that reproduce the finding. The deliverable is a findings report that ranks each vulnerability by severity (using CVSS scoring) and provides specific remediation guidance. Penetration tests must be explicitly authorised written rules of engagement define the scope, prohibited actions, and testing window before testing begins.
How often should a penetration test be conducted?
Annual penetration testing is the standard cadence for most B2B companies required by PCI DSS (at least annually), recommended by SOC 2 auditors, and requested by enterprise procurement security questionnaires. Additional pen tests should be triggered by: significant changes to the application (new authentication system, new payment flow, major API version), major infrastructure changes (migration to a new cloud provider or architecture), post-incident (after a security incident, to assess whether similar vulnerabilities exist elsewhere), and pre-launch (for new products before public release). A pen test report dated more than 12 months ago is typically rejected by enterprise security teams annual testing maintains the currency required for sales.
What is the difference between black-box, grey-box, and white-box pen testing?
Black-box testing simulates an external attacker with no prior knowledge the tester starts with only the application URL, no credentials, no source code access. This tests what is visible from outside the perimeter but may miss vulnerabilities deep in authenticated functionality. Grey-box testing (most common for web application pen tests) provides the tester with user-level credentials for each role (regular user, admin, API key) but no source code access. This enables testing of authenticated functionality the majority of web application vulnerabilities require an authenticated user. White-box testing provides full access source code, architecture documentation, test credentials for all roles. The most thorough approach, but requires more time (the tester must review code as well as test the running application). ClickMasters conducts grey-box pen tests as the default sufficient to cover the OWASP Top 10 comprehensively at the most practical cost.
What does a penetration test report include?
A ClickMasters penetration test report includes: executive summary (one-page non-technical overview overall security risk rating, count of findings by severity, top three most critical findings in plain language suitable for board and investor review), scope and methodology (tested systems, testing dates, testing approach, tools used SQLMap, Burp Suite Pro, Metasploit for cloud, Pacu for AWS), findings (each finding: CVSS 3.1 base score, vulnerability name, affected system/endpoint, description of the vulnerability, proof-of-concept reproduction steps, evidence screenshots, impact assessment, remediation recommendation), risk summary matrix (all findings visualised by severity and ease of exploitation), and attestation letter (signed letter confirming the pen test was conducted and the overall risk rating suitable for enterprise security questionnaire attachment). Re-testing of remediated critical and high findings is included within 30 days.
