Penetration Test

Sample Image


What is a Penetration Test (Pen Test)

A penetration test, also known as a pen test or sometimes as ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. The test is performed to identify weaknesses (also referred to as vulnerabilities), including the potential for unauthorized access to sensitive data.

The UK National Cyber Security Centre describes penetration testing as: "A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system's security, using the same tools and techniques as an adversary might."

Why Would I Commission a Pen Test?

According to The Department for Digital, Culture, Media and Sport (DCMS) in the UK 39% of businesses report having cyber security breaches or attacks in the last 12 months. Many organisations fear it is a matter of time before they suffer from an attack themselves, however they can only fix any weaknesses in their defences when they are aware of them.

A pen test will reveal any vulnerabilities in your IT system, identify the real risks and give you an expert third party opinion. It is a really important step in coming to terms with the specific vulnerabilities in their IT systems and getting buy-in across the organisation to address them.    

There are some industries that have legal compliance requirements which require a certain level of penetration testing. For example, ISO 27001 standard and PCI regulations, requires regular penetration test.

Who Conducts a Pen Test?

Anyone with a computer and an Internet connection can set themselves up for penetration testing.  These could include irresponsible organisations that do not have in place policies, processes and procedures to ensure the quality of service and protection of client-based information.  The individuals employed by these companies may have no demonstrable skill, knowledge or competence but an impressive CV.  This makes the procurement of these important services difficult and problematic.

If you use a pen test provider you should ensure they are CREST Accredited. CREST is an organisation that provides internationally recognised accreditations for organisations and professional level certifications for individuals providing penetration testing, cyber incident response, threat intelligence and Security Operations Centre (SOC) services.

Where can I find an accredited Pen Test provider?

You can visit CREST’s service selection platform which provides lots of useful information and guidance.

CREST'S Service Selection Platform