The Most Frequently Asked Questions (FAQ) About Penetration Testing
We hear security questions from leaders every day. Our FAQ guide provides the clarity you need on scoping, methodology, and remediation to empower your business’s next security decisions.
General Questions
How often should my company perform a penetration test?
For most organizations, industry best practices and compliance standards (such as PCI DSS, SOC 2, and ISO 27001) recommend performing a penetration test at least once a year.
However, you should also conduct a test immediately after making significant changes to your infrastructure or applications, such as:
Major code releases or upgrades.
Migrating to a new cloud environment.
Modifying network firewall rules or segmentation.
Adding new sensitive user roles or data types.
What is the difference between a Vulnerability Scan and a Penetration Test?
This is the most common confusion in the industry.
Vulnerability Scan: An automated, high-level sweep using software (like Nessus or Qualys) to identify known patches or misconfigurations. It is cheap, fast, and covers "low-hanging fruit," but it lacks context and produces false positives.
Penetration Test: A manual, human-led simulation of a cyberattack. An ethical hacker uses the results of a scan as a starting point but then attempts to actively exploit weaknesses, chain vulnerabilities together, and bypass logic controls to see how deep they can get into your system.
Analogy: A scan checks if your windows are unlocked. A penetration test actually climbs through the window and sees if they can open your safe.
Will a penetration test take my website or network offline?
The goal of a professional penetration test is to improve security without disrupting business operations. While there is always a minimal risk when interacting with live systems, experienced testers use safeguards to prevent downtime.
Production Safe: We typically avoid "Denial of Service" (DoS) attacks unless explicitly requested.
Off-Peak Testing: For highly sensitive critical infrastructure, testing can be scheduled during off-peak hours / maintenance windows to minimize impact.
What is the difference between Black Box, Gray Box, and White Box testing?
These terms refer to how much information you give the testers before they start:
Black Box: The tester has zero prior knowledge (no credentials, no diagrams). This simulates a real-world external hacker. It is time-consuming and risks missing internal vulnerabilities.
Gray Box: The tester has partial knowledge (e.g., user credentials, basic network info). This is the most common and efficient approach, as it simulates a breach where a hacker has compromised a user account.
White Box: The tester has full access (source code, architecture diagrams, admin rights). This is best for thorough code auditing and internal security reviews.
Do I need to whitelist the penetration tester's IP address?
Yes. To get the most value out of your test, you should whitelist the testing team's IP addresses in your WAF (Web Application Firewall) or IPS (Intrusion Prevention System).
Why? If you don't whitelist them, your firewall might block them after 10 minutes. While testing firewall effectiveness is useful, the primary goal is usually to find vulnerabilities in the application or server behind the firewall. Blocking the tester prevents them from finding those deeper, more critical flaws.
How long does a penetration test take?
The duration depends entirely on the "scope" (size) of the environment.
Small Web App: 3–5 days.
Medium Enterprise Network: 1–3 weeks.
Large/Complex Systems: 3–4 weeks.
Note: This does not include the time required for reporting and the subsequent re-test period.
Results and Remediation
What happens if you find a Critical vulnerability during the test?
If testers discover a "Critical" risk; something that exposes immediate danger to customer data or system stability (like a Remote Code Execution); testing is typically paused.
Immediate Notification: The team will contact your designated point of contact immediately (via phone or encrypted channel) to alert you.
Hotfix: This allows you to patch the hole right away, rather than waiting for the final report to be delivered weeks later.
Does the penetration testing firm fix the vulnerabilities for us?
Generally, no.
Conflict of Interest: It is a conflict of interest for the same firm to find the bugs and be paid to fix them (they might find more bugs just to bill more hours, or hide bugs they couldn't fix).
Guidance: Instead, a good penetration testing report provides detailed "Remediation Steps"; instructions for your internal IT or development team on exactly how to patch the issues.
What is a "Re-test" and is it included?
A Re-test (or Verification Test) happens after your team has patched the vulnerabilities found in the initial report. The testers go back in to verify that the fixes were successful and that no new issues were created.
Tip: Always ask if the re-test is included in the initial quote. Many firms include one free re-test within 30 days of the report delivery.
Ready to Schedule Your Next Pentest?
For organizations seeking the clarity and expertise discussed in this guide, we've partnered with specialists who deliver comprehensive testing across different pentesting methodologies (Black, Gray, or White Box). With 25+ years of offensive security expertise, they focus on uncovering business-critical vulnerabilities specific to your unique architecture and workflows.
Our pentesting partners focus on:
Business-logic attacks: Custom attack scenarios designed around your specific use cases to uncover deep, hard-to-find issues.
Regulatory compliance: Specialized assessments for PCI DSS, SOC 2, ISO 27001, and other industry-specific requirements.
Manual testing: Aided by the latest technology to uncover exploitable vulnerabilities beyond automated scanning capabilities.
