How to Conduct Penetration Testing Basics

Find vulnerabilities before criminals do. Test annually.

Overview

Authorised testing with clear scope and reporting.

Define scope.

What happens.

Use the results.

Findings are rated by severity: Critical, High, Medium, Low, Informational
Critical: Actively exploitable, could lead to full system compromise — fix immediately
High: Significant risk that could be exploited with moderate effort — fix within 30 days
Medium: Real risk but requires specific conditions to exploit — fix within 90 days
Low: Minor issues or hardening recommendations — address in regular maintenance
Each finding should include: Description, proof of concept, business impact, remediation steps
Ask your tester to explain any findings you do not understand

Missing patches: Implement regular patch management schedule
Weak passwords: Enforce strong password policy and MFA
Open ports and services: Disable unnecessary services, update firewall rules
Outdated SSL/TLS: Upgrade to TLS 1.2+ and disable older protocols
Information disclosure: Remove version numbers, error details from public-facing services
Default credentials: Change all default passwords on all devices and applications
SQL injection or XSS: Fix application code with parameterised queries and input validation

External pen test: Annually at minimum, or after significant infrastructure changes
Internal pen test: Annually, tests what an insider or compromised device could do
Web application test: After major releases or annually for critical applications
Social engineering test: Annually to assess human vulnerability
Vulnerability scanning: Quarterly automated scans between annual pen tests
Budget 2,000-10,000 pounds for a standard external pen test
Use findings to prioritise security spending and justify budget requests

Our engineers provide expert assistance with setup, troubleshooting, and ongoing support for businesses and individuals across Cornwall.

Get in Touch Call 01726 76999