What is a penetration test? A guide for business

Penetration test in brief

A penetration test, or pentest, is a controlled and authorized attack on your IT systems. A certified security specialist tries to get into your systems the same way a real attacker would, with the goal of finding weaknesses before anyone else does.

Companies conduct pentests to understand how well their security actually holds. Not just on paper, but in practice. It gives a concrete picture of what risks exist and what needs to be addressed, formulated in an actionable way. We are on top of this, Cyloq has conducted 500+ audits and identified 670+ critical vulnerabilities in Swedish companies and organizations.

‍

What types of penetration tests exist?

Which test is appropriate depends on what you want to protect. The most common tests look like this:

‍

Web Application Test

A web application test reviews the security of web-based services, login features, forms, and data feeds. It is suitable for those who have a customer-oriented web service or an internal web application that handles sensitive information.

‍

API Test

An API test focuses specifically on how your APIs handle authentication, access control, and data exposure. It is especially important for organizations that integrate services with external parties or expose APIs to customers and partners.

‍

External infrastructure test

An external infrastructure test examines everything visible against the internet, firewalls, servers, DNS and public services. It's a good first test for organizations that want to understand what an attacker actually sees and can exploit from the outside, without even having any prior knowledge of your environment.

‍

Internal network test

An internal network test simulates a scenario where an attacker has already gained access, for example through a successful phishing attempt or a compromised account. It is the right choice when you want to understand how far an internal attacker can actually move in the environment and what is accessible if the perimeter protection is deficient.

‍

Cloud test

A cloud test reviews configurations in Azure, AWS, or Google Cloud. It is especially suitable for those of you who have recently migrated to the cloud or who have built out your cloud services. Misconfigurations are one of the most common causes of data breaches in cloud environments and something traditional network tests rarely cover.

‍

Active Directory test

An Active Directory test examines how well your AD environment is protected against attacks such as privilege escalation, lateral movement, and Kerberoasting. This is relevant for virtually any organization running Windows-based environments, and especially important if you manage sensitive systems or have many users with different levels of permissions.

‍

Mobile App Test

A mobile app test examines the security of iOS and Android applications, how data is stored locally, how communication with the back-end occurs, and whether it is possible to manipulate the app's behavior in ways that were not intended. It suits anyone who has an app in production that handles user data or is connected to sensitive back-end systems.

Book an appointment with us and we will see which test suits you best.

‍

When should a company do a pentest?

There are a number of situations in which a pentest is particularly warranted:

• Ahead of a product launch. One of the best times to test, when you can still fix bargains before they reach your users.
• After a major system change. A migration to the cloud or a new integration almost always introduces new risks.
• In case of compliance requirements. NIS2, ISO 27001 and PCI-DSS impose requirements that security is actually tested and documented, and a pentest test is one of the most concrete ways to meet them.
• After a security incident. To understand how the attacker got in and ensure the road is closed.

For systems that handle sensitive data, pentest is recommended as routine, at least once a year. The threat picture is constantly changing, and a test conducted 18 months ago says nothing about how you stand today.

‍

White box, grey box and black box — what's the difference?

The three variants differ in how much information the tester receives about the system before the test begins, and the choice affects both depth and cost.

Black box means that the tester starts completely without prior knowledge, just like an external attacker. It gives a realistic picture of how difficult it actually is to get in from outside, but can miss deeper vulnerabilities that require more time and transparency to find.

White box gives the tester full access to source code, system documentation, and architecture. It allows for a thorough review and is a good fit when you want to maximize coverage, for example for a product launch or a major system shift.

Grey box is a combination of the two. The tester receives limited information, such as a login or a system overview, simulating an attacker with some visibility into the environment. It is often the most cost-effective option for established systems and provides good coverage without requiring as much time as a full white box test.

‍

How is a penetration test done?

The process follows a structured pattern regardless of the test in question:

It starts with a initial meeting where you and the test team define what should be tested, what systems are included and what is out of scope. Here you decide together the schedule, test method and rules of the engagement.

Thereafter charting the tester environment, collects information about exposed services, domains, and potential entry points, without yet attempting to enter.

Then follows a vulnerability analysis. Here, the entry points found are identified and evaluated. Incorrect settings, outdated software and logic flaws are mapped out and prioritized for the next step.

The Exploitation is what distinguishes a pentest from a vulnerability scan. The tester actively tries to exploit the vulnerabilities identified to verify whether they can actually be exploited in practice and how far an attack can go.

Everything is then documented in a reportage technical descriptions, severity ratings and concrete action proposals. The report is not raw data, but a basis you can actually work with.

In conclusion, one is held rapprochement where you go through the findings together with the team. You can discuss priorities and get your questions answered.

A typical test takes 1 to 4 weeks depending on the scope and type of test.

‍

What do you get in a pentest report?

A well-written pentest report is a working document, written for policymakers who want to understand the risk picture without having to delve into the technical details. The executive summary therefore provides a non-technical overview of the key discoveries.

Each vulnerability is classified with a severity rating, usually on the CVSS scale, from observations to critical vulnerabilities. Each finding includes a technical description of how the vulnerability works, where it is located and what it can be used for. In addition, reproduction steps are recorded that allow your team to verify and understand the findings in more detail.

The report concludes with concrete proposals for action and a prioritisation of what should be dealt with first. It should be possible to distribute the work internally immediately after the review.