Penetration Testing Service – FAQs

Over the past few years, more and more small businesses have been turning to use of penetration testing service as a way of assessing their security controls. The first thing you need to know about penetration testing is that it’s not a one-size-fits-all solution. Read the following FAQ to know about pentesting services, assignments, approach, costs and much more.

Get In Touch

We will not share your details with third parties.

Penetration Testing Service – Frequently Asked Questions

The following FAQ is our attempt to keep information simple and free of jargon. Whether it is cyber security testing, penetration testing or VAPT (vulnerability assessment and penetration testing) audit, the following are applicable to all of these exercises.  

What is penetration testing?

Penetration testing is the process of simulating an attack on a computer system to identify vulnerabilities that an attacker could exploit.

Why is penetration testing so important?

A pentest provides significant value to the business. For the management team, it provides a benchmark of the target assets’ (e.g. an application, an organisation or a network) risk levels and mitigation advice, that helps to prioritise risk remediation.
For technical teams, it is a validation exercise of security controls in place and a learning exercise to avoid similar issues in future.

What is the primary purpose of penetration testing?

A penetration test is an exercise to identify technical risks affecting software and hardware in scope. An accurately scoped penetration can add an assurance that the products and security configurations, controls are configured in line with good practices, and no common or publicly known vulnerabilities affect the assets in scope, at the time of the test.

How do you justify pen testing costs in your business?

Pen testing can be used as part of a risk assessment or compliance exercise, so it should always be justified with the potential risks and costs associated with the projects.

Main benefits include increased awareness about security issues, reduced operational risks for organisations and input factor into wider IT strategy.

Is penetration testing legal?

You need to have the permission of the owner of the systems in scope. Therefore, penetration testing companies request permissions via consent forms before commencing security audits.

The following acts are references to the most of the penetration testing services:

  • UK Computer Misuse Act 1990
  • UK Data Protection Act 1998
  • UK Data Protection Act 2018 (GDPR)
  • Human Rights Act 1998
  • Police and Justice Act 2006

When does pen testing helps a business?

Penetration testing sits in various phases during an asset’s business lifecycle. It could be used during Merger & Acquisition transactions, before product purchases, before product launches, before and during product development, after infrastructure or code changes and in general once a year. Pen testing is the groundwork to identify weaknesses in your assets and helping to mitigate the identified risks. 

Do you help with IT security compliance?

We help customers with IT security compliance requirements. Our assessment methodology covers well-known security standards like OWASP or SANS Critical Security Controls (among others).
For PCI DSS, GDPR, Cyber Essentials or other regulatory specific requirements, you must mention this as the requirement when scoping assessments with Cyphere.

How disruptive is pen test activity?

Cyphere’s assessments are designed to be as safe and inconsequential for the customer, while also providing an accurate analysis of their weaknesses. Our assessment methodology ensures that all our assessments are performed with high technical standards, and taking into account any fragile components discussed during project meetings.

How do you approach customer engagement?

Our engagement approach remains focussed on service quality. Three principles underpin our engagement approach: We engage, We listen, and We deliver. The following five steps define our pen test process:

  1. Customer Business Insight & Requirements Capture
  2. Services Proposal
  3. Execution
  4. Delivery
  5. Debrief & After-care Support

How do you handle client communications?

We take customer communication as seriously as the technical elements of the job. We engage with customers throughout a project, ensuring that contacts are up to date in the language they understand and never forgetting about them even after work has been completed. Post engagement, we provide free debriefs for management and technical audiences so it becomes easier to analyse and prepare risk remediation work.

How do you handle client data?

We take customer communication as seriously as the technical elements of the job. We engage with customers throughout a project, ensuring that contacts are up to date in the language they understand and never forgetting about them even after work has been completed. Post engagement, we provide free debriefs for management and technical audiences so it becomes easier to analyse and prepare risk remediation work.

How long does a penetration test take?

The duration of an assessment varies based on the required focus and the size of the target asset. For instance, an application with dynamic content, integrated authentication and payment modules along with form fields would take longer to assess than a static website with a simple search function. Similarly, network assessments include restrictions, size, accessibility factors while determining the timescales.

How much does a penetration test cost?

Penetration testing pricing is calculated based on the attack scenarios and the time invested in the assessment. A simple web application assessment (considered small) can be conducted within 3-4 days. A large corporate web application with multiple modules may require a few weeks. 
All our pricing provides a breakdown to ensure transparency and flexibility for clients to make an informed choice. 

Why do we need penetration testing?

Penetration testing is an essential part of security for networks, apps and endpoints. It helps to protect against external threats by making sure the system control is safeguarded from unwanted access – whether outside or inside the organisation.

Do you require to be onsite or remote?

Many a time, penetration testing can be performed remotely. We provide our external IP addresses during every remote assignment so that customer logging and monitoring processes and procedures are aware of this activity. 

Do you offer risk remediation?

Our comprehensive reporting provides both strategic and tactical recommendations. As part of our aftercare service, we help clients prepare risk remediation plans. 

  • Which assets pose risk by highlighting the vulnerabilities and associated risks?
  • What is the impact and likelihood of the attacks associated with identified threats?
  • How our remediation advice (both tactical and strategic levels) is helpful?

 Our web and phone support is available to all customers where we promise to answer all queries between 24-48 hours. An optional consultancy is available where risk remediation service is provided to close the gaps based on a risk-focused approach. 

How many types of penetration testing are there?

Penetration testing can be a white box, black box or grey box assessment depending upon the business requirements. These types cover different threat scenarios to an asset. Read types of penetration testing in detail. The following penetration tests are categorised based on targets:

What are penetration testing methodologies?

A penetration test methodology is like a rulebook that defines the logic based on the threat scenarios, tests to be carried out to assess a target’s security. 

Our Penetration testing methodology involves these phases:
1. Initial Scoping and Objectives Agreement
2. Reconnaissance
3. Scanning
4. Exploitation
5. Cleanup, data analysis and reporting
6. Remediation (optional)

Which approach is better a manual security test or an automated security test?

Both approaches are needed and are helpful to security teams as part of a wider security strategy. 
Automated security assessments (e.g. vulnerability scanning) cover more breadth than depth and also come with certain downsides like false positives. The manual assessment such as penetration testing ensures depth due to the skill-set by offering exploitation, tweaking the test cases in line with the customer environment and also pick up on issues such as logic flaws that remain undetected with software-based scanners. 

When to perform a penetration test?

Generally, security assessments are linked with change. When a change i.e. a network refresh, application improvement happens in your environment, a pen test is conducted to identify gaps and analyse the associated risks. It is ideal to test any asset before it is released in the production environment.

How do I prepare for penetration testing?

  1. Define the scope as accurately as possible – this impacts the results.
  2. Carry out a risk assessment that aims to find security objectives for the business to protect its assets.
  3. Define test plans including change management processes, contacts, escalation points, pre-requisites and schedules.

How does penetration testing work?

A penetration test may be performed on any type of computer, including laptops, desktops, servers, mobile devices, tablets and even smart home systems. After an asset is selected, the threat surface is taken into account to decide whether white box, black box or grey box assessment is best suited. This information is made available to penetration testers (security consultants) who prepare and agree on different test cases to be conducted during the pen test. A pen test is followed by a comprehensive report aimed at management and technical audiences providing the supplemental information, analysis of risks identified, probability and impact of the risk along with remedial actions. 

What is internal and external penetration testing?

An internal pen test is a type of penetration testing, which work by looking for vulnerabilities inside an organisation’s network. External pen tests are performed remotely by ethical hackers who search the internet-facing assets like email and web servers for security vulnerabilities.

What is vulnerability scanning in cyber security?

Vulnerability Scanning is a process used to detect any vulnerabilities in an organisation’s security program. Vulnerability assessments cover areas such as the patch management process, secure hardening procedures and secure coding practices.

What is the difference between VA vulnerability assessment and PT (penetration testing )?

A vulnerability scan is a type of diagnostic that tests the security of a system by looking for security holes in software, applications or networks.

A penetration test, on the other hand, is more rigorous than a vulnerability scan and often includes exploiting vulnerabilities to determine what would happen if an attacker were successful.

What is AWS penetration testing?

AWS penetration testing, also known as AWS security assessment or AWS vulnerability analysis, is a process that helps organizations identify and mitigate risks in their Amazon Web Services (AWS). This helps identify gaps that may need to be addressed before a system is put into production, or in order to satisfy compliance requirements.
It is important to be aware of what can and can’t be tested in the cloud, read here

What is a Web application penetration test?

A web application penetration test is a security audit conducted to identify vulnerabilities that may put the application users or the data at risk. This type of assessment is performed by a third-party security consultant and typically includes scanning for common vulnerabilities such as cross-site scripting (XSS), SQL injection, etc. that exploit known flaws in the applications. OWASP Top 10 methodology is followed in all our projects, as detailed here.
In order to protect your business from cybercriminals who are continuously looking for ways into your systems – whether it’s through malware or other types of attack – you need to conduct periodic security audits on all of your applications.

What is mobile penetration testing?

Mobile penetration testing is a process that helps to determine the security of an organization’s mobile applications and devices, including secure configuration reviews of mobile device management (MDM). 
Mobile devices are popular targets for hackers because they can be easily lost or stolen and have access to many sensitive applications that contain important data.

What should be included in a good penetration testing report?

A penetration test report should involve the following areas:

  1. An outline of risk exposure for the tested assets
  2. Strategic and tactical recommendations on how to improve security posture
  3. Security issues identified during the assessment
  4. Risk levels in the context of likelihood and impact
  5. Recommendations to address the findings
  6. Customer support involving debriefs to ensure customer has a full understanding of their risks and risk remediation plan

Penetration tests differ in scope based on the attack surface and the target asset. This defines how long it will take and what all scenarios and pen test methodologies to be taken into account.

One of the first things you need to do is knowing about different types of pentests. Whether it is penetration testing as a service you have subscribed for or one off test, for your organization to figure out what will best suit their needs, they’ll have to weigh in on which type may be more appropriate. A white box assessment of an application might be a good fit but when trying to simulate an insider attack scenario then grey-box or black-box assessments are available as an option.

Business requirements such as compliance, customer needs should be taken into account to define what would be the best fit. It would answer how regularly you should perform pen tests and how are pentesting services delivered.

In order to stay secure, it is important that you identify and fix vulnerabilities. Once the report has been generated from your pentest, focus on fixing what’s most critical first since not all of them can be fixed immediately.

The good luck will come in handy.

Your trusted penetration testing service provider


Web Application Penetration Testing

Our team of penetration testers will test and perform penetration tests on your web applications and web services/APIs. 

Web app pentesting includes source code reviews, API security testing, threat modelling and database security.

Web Application Pen Testing​

Mobile Application Pen Testing

Ensuring the safety and security of user data is paramount to running any mobile devices and underlying code. 

Our tailored services are designed to identify potential threats, OWASP checks and vulnerabilities in your mobile applications and devices.

Mobile App Pen Testing

Cloud Penetration Testing

Most organizations are migrating to cloud due to ease of use and 24 x 7 availability. 

As an end user of cloud hosted solution, it is your responsibility to ensure that the security of any operating systems and applications hosted in the cloud are continuously maintained and tested.

Cloud Pen Testing

Internal Network Penetration Test

A consultant led exercise performed on the internal (or corporate environments) network. 

This starts with an unauthenticated attacker test case aimed to identify, exploit and infiltrate across the entire network. 

Internal Network Pentest

External Pentesting

This exercise is aimed at internet facing assets (external boundary) of your organisation, performed remotely from our labs. 

External network penetration testing is performed with zero privileges, that is same level access as an internet based user. 

External Network Pen Test

Firewall Risk Assessment

Our firewall security assessment service is aimed at checks around configuration and traffic/rulebase.
The device in scope could be any of the perimeter firewalls, cloud based NSGs, small business based all in one firewall, switch or wireless devices.

Firewall security review

Penetration testing as a service offers continuous assurance


Mobile Application Pen Testing

Ensuring the safety and security of user data is paramount to running any mobile applications. Our tailored services are designed to identify potential threats and vulnerabilities in your mobile applications and devices.

Mobile App Pen Testing

Red Team Operations

Our Red Team testing operations aimed at simulating a real-world cyber attack to check your attack preparedness.
Our key service features include flexible pricing, actionable outcomes and an adversarial mindset helping customer upskill blue team capabilities. 

Red Teaming

Secure Hardening Review

A secure hardening review ensures no weaknesses are introduced in the security posture of your company keeping exposed services with minimal attack surface. Default passwords, OS configuration, services, anti-malware controls are assessed in this review.

Secure Hardening Reviews

Azure Penetration Testing

Whether you are utilising classic Azure portal or Azure Resource Manager (ARM),

Our Azure pentests and security reviews can help you assess and remediate the security vulnerabilities and misconfiguration in Azure services and products.

Azure Penetration Testing​

AWS Penetration Testing

AWS pentests include three different service areas, targeted at SaaS, Infrastrucutre and internal cloud components. Data Leakages/permissions, misconfiguration, IAM, Networking, Logging & Monitoring areas are some of the pillars behind your AWS security strategy. 

AWS Penetration Testing​

SaaS Security Testing

Cyphere have the skill-set and extensive experience of working with all the major cloud service providers. 

As shared services concept is gaining more traction, risks of data leakage are increasing with more blind spots than ever for SaaS providers as well as SaaS users.

SaaS Security Testing

Recent Blog Entries

What are Active Directory security groups?

When trust goes wrong – supply chain attack, examples and prevention measures.

Data Protection Impact Assessment (DPIA) GDPR – meaning, methodology and more!

What is Azure Active Directory? A detailed overview.

Privacy Impact Assessment – PIA vs DPIA (GDPR)

GDPR – Individual Rights

What are the security risks of the cloud computing?

The top 10 network security vulnerabilities for businesses in 2021

Data Subject Access Request: Article 15 GDPR – The Right of Access

What is an attack vector? Assess your attack surface and how to avoid cyber attacks.