What a penetration test actually looks like

You've been told you need a penetration test. Maybe a client asked for one. Maybe your insurer did. Maybe you just know it's overdue. But nobody's explained what actually happens.

Here's the short version: we try to break into your systems the way a real attacker would, document everything we find, and tell you how to fix it. The longer version is more useful.

The scoping call

Every engagement starts with a conversation. We need to understand what you have, what matters most, and what's off limits.

We'll ask questions like:

• How many external IP addresses do you have?
• Do you have web applications that handle customer data?
• Is Active Directory in scope?
• Are there any systems we can't touch during business hours?

This call usually takes 30–45 minutes. At the end, you get a fixed-price quote. Not a range. Not "it depends." A number.

Rules of engagement

Before we start, you sign off on a rules of engagement document. This covers:

• Exactly which systems are in scope
• Testing windows (we can work out of hours if needed)
• Emergency contacts on both sides
• What happens if we find something critical mid-test

We don't start until both sides are clear on the boundaries.

The testing phase

This is where the work happens. Depending on scope, testing runs 5–10 business days. Here's a rough breakdown of what our team does:

Reconnaissance. We map your external attack surface — DNS records, open ports, services, certificate details, exposed metadata. The same things an attacker would find with Shodan, Censys, or a well-crafted Google dork.

Vulnerability identification. We test each service for known vulnerabilities, misconfigurations, and weak defaults. This goes beyond automated scanning — we manually verify what the scanners flag and look for things they miss.

Exploitation. Where we have permission, we attempt to exploit vulnerabilities to demonstrate real impact. Can we get a shell? Can we read the database? Can we move laterally to other systems? This is what separates a pentest from a vulnerability scan.

Post-exploitation. If we get in, we see how far we can go. Can we escalate privileges? Can we access other network segments? Can we reach the domain controller? This maps your internal risk in a way that a scan never will.

What we find — typical examples

Every environment is different, but certain things come up repeatedly:

• Default credentials on management interfaces (routers, printers, IoT devices, admin panels)
• Unpatched services — particularly on internal systems that "nobody uses anymore"
• Exposed admin interfaces accessible from the internet with no MFA
• Weak network segmentation — a compromised workstation leading straight to the server VLAN
• Missing security headers on web applications (CORS, CSP, HSTS)
• Password reuse — one compromised credential working across multiple systems

None of these are exotic. That's the point. Most breaches don't require a zero-day exploit. They require a forgotten admin panel with admin:admin still set.

The report

You get two things:

Executive summary. One to two pages. Written for people who make decisions but don't configure firewalls. This covers: what we tested, how many issues we found at each severity level, the overall risk posture, and our top three recommendations.

Technical report. Every finding documented individually with:

• Severity rating (CVSS score)
• What we found and where
• Evidence (screenshots, request/response pairs, commands used)
• Why it matters (the actual business risk)
• How to fix it (specific, actionable steps)

We write reports that your engineer can act on without calling us back. But we're happy to take the call anyway.

The walkthrough call

After you've had time to read the report, we jump on a call to walk through the findings. We answer questions, help prioritise remediation, and talk through any findings that need more context.

This call is usually where the real value lands. The report tells you what's wrong. The call helps you decide what to fix first and why.

The retest

After you've remediated the critical and high-severity findings, we retest those specific items at no extra charge. You get a clean attestation letter confirming the issues are resolved.

This matters for compliance, for client assurance, and for your own peace of mind.

How long does all of this take?

From scoping call to final report, typically 3–4 weeks. The testing itself is 5–10 days depending on scope. Report delivery within 5 business days of testing completion.

If you have a compliance deadline or a specific date you're working toward, tell us on the scoping call. We'll work with your timeline where we can.

One more thing

A pentest is a snapshot. It tells you where you stood on the day we tested. It doesn't replace ongoing monitoring, patching, or security awareness. But it does give you a clear, honest picture of your current risk — and a concrete list of things to fix.

If you haven't had one recently, get in touch. The scoping call is free and there's no obligation.