Penetration testing pros and cons

Cyber attacks are cheap to conduct, but expensive for organisations that are hit by them. Botnets can be hired cheaply, hacking software is readily available, and even those without technical or practical knowledge can purchase attacks as a service.

Attacks can cripple a company’s systems, they can lead to large fines and reputational damage, and the low investment necessary to conduct an attack means that no business is too small to be targeted.

That is where penetration testing (‘pen testing’) comes in. It is essentially a controlled form of hacking in which a professional pen tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.

Penetration testing is widely acknowledged as an important part of cyber security (it is, for instance, a requisite part of a number of regulatory standards and compliance schemes), but, like any security mechanism, it is not perfect.

We’ve outlined some of the most important pros and cons of conducting penetration tests:


  • They can identify a range of vulnerabilities.
    Businesses are exposed to a host of potential threats, and each might be able to exploit hundreds of different vulnerabilities. Such vulnerabilities are open to potentially devastating attacks, such as SQL injection, and things as apparently benign as error pages can provide attackers with enough information to exploit a less obvious and much more harmful vulnerability.
  • They can identify high-risk weaknesses that result from a combination of smaller vulnerabilities.
    Taken on their own, small vulnerabilities may appear negligible, but hackers often seek out these weaknesses to create intrusion sequences that take small, steady efforts to pry open security gaps into much larger weakness. These gaps are often overlooked by the company or automated security systems, but given that pen testers replicate a hacker’s methods, they will be able to identify such points of entry.
  • Reports will provide specific advice.
    The final step of a penetration test is reporting the vulnerabilities. Unlike automatically generated reports from tools that offer generic remediation tips, reports from penetration tests can rank and rate vulnerabilities according to the scale of the risk and the company’s budget.


  • If they’re not done right, they can create a lot of damage.
    Tests that are not done properly can crash servers, expose sensitive data, corrupt crucial production data, or cause a host of other adverse effects associated with mimicking a criminal hack.
  • You are required to trust the penetration tester.
    Penetration testing essentially means that you’re inviting someone to hack into your systems, so you’re relying on the tester not to abuse their skills and knowledge. If you don’t hire someone you can trust to do the job, your security attempts may backfire spectacularly.
  • If you don’t employ realistic test conditions, the results will be misleading.
    Employees are likely to prepare for a test that they know is going to take place, meaning that the organisation appears to be stronger than it actually is. A genuine attack will come without warning and in ways that are creative and hard to plan for.

Learn more about penetration testing

If you’re considering completing a penetration test, IT Governance offers a number of services in fixed-price packages. We have recently released a data sheet that outlines our services, methodology and the benefits of using IT Governance.

For instance, we are CREST-accredited, as are our penetration testers, and we are experts in many standards, including the PCI DSS, ISO 27001 and ISO 22301.

Find out more by reading our data sheet >>