What is Penetration Testing?

Penetration testing (also called pentesting, pen testing, ethical hacking) is an authorized, simulated cyber attack against a computer system, application, API or network. The goal is to identify security weaknesses (vulnerabilities, misconfigurations, design flaws) before malicious attackers can exploit them. A penetration tester follows a structured methodology that combines automated scanning, manual exploitation, post exploitation and reporting. The output is a written report with each finding rated by severity (Critical, High, Medium, Low, Informational), with reproduction steps, screenshots, business impact and a recommended fix. Penetration testing is a regulatory requirement in many frameworks: PCI DSS Requirement 11.4 (mandatory penetration test at least once a year for cardholder data environments), ISO 27001:2022 control A.8.29, NIS2 Directive Article 21, HIPAA Security Rule, SOC 2 Trust Services Criteria and the EU Digital Operational Resilience Act (DORA) Article 26 for financial entities since 17 January 2025. Pricing in 2025 ranges from 5,000 EUR for a focused web application test for an SME to over 150,000 EUR for a large enterprise scope. Continuous Pentest as a Service offerings (Cobalt, HackerOne PTaaS, NetSPI) start around 800 to 2,000 EUR per month.

How is penetration testing different from vulnerability scanning?

Vulnerability scanning finds known issues fast and cheap. Penetration testing verifies them, finds chains of weaknesses no scanner detects (business logic flaws, authorization bypasses, race conditions) and demonstrates real impact. The two are complementary.

What are the types of penetration tests?

• Web application pentest: tests OWASP Top 10, authentication, authorization, session management, business logic. Most common type for SaaS, WordPress and e commerce sites.
• API pentest: REST, GraphQL or SOAP endpoints. Tests against the OWASP API Security Top 10 (latest 2023).
• Mobile pentest: iOS and Android apps. Reverse engineering, static and dynamic analysis (Frida, Objection, MobSF).
• Network and infrastructure pentest: external (from internet) and internal (from a foothold inside the LAN). Looks for unpatched services, weak SMB, open RDP, Kerberoasting in Active Directory.
• Cloud pentest: AWS, Azure, GCP. Tests IAM misconfigurations, public S3 buckets, exposed metadata endpoints, overly permissive roles. Note that cloud providers require pre approval for some attack types.
• Wireless pentest: WiFi networks, evil twin attacks, WPA2/WPA3 cracking.
• Social engineering and phishing: simulated phishing campaigns, vishing, USB drops, physical intrusion. Tests human and process security.
• Red Team engagement: a full simulated adversary attack across all surfaces (network, app, social, physical) over weeks or months, with limited information shared with defenders.
• Purple Team: collaborative engagement where attackers (red) and defenders (blue) work together to improve detection and response.
• IoT and embedded: firmware extraction, JTAG, hardware tampering.

What are the knowledge models?

• Black box: the tester gets only the URL or IP, like a real external attacker. Most realistic but slowest and shallowest.
• Grey box: the tester has a regular user account and basic documentation. Most common compromise, good cost to depth ratio.
• White box: the tester has full access to source code, architecture diagrams, admin credentials. Deepest, finds most issues, ideal before launch.

What methodology do pentesters follow?

1. Scoping and rules of engagement: define targets, allowed techniques, time window, contacts, emergency escalation. Sign a written authorization (Get Out of Jail card).
2. Information gathering / reconnaissance: passive (Shodan, Google dorks, Censys, certificate transparency, Wayback Machine, leaked credentials on HaveIBeenPwned) and active (Nmap port scan, subdomain enumeration with Amass, Subfinder, content discovery with feroxbuster, gobuster).
3. Threat modeling: identify the most valuable assets and likely attack paths.
4. Vulnerability identification: automated scanners (Burp Suite Professional, Acunetix, Nuclei, Nessus) plus manual code review.
5. Exploitation: prove the vulnerability by gaining unauthorized access, extracting data or escalating privileges. Custom exploits with Metasploit, sqlmap, hashcat for password cracking, BloodHound for Active Directory.
6. Post exploitation: pivot to other systems, persistence, data exfiltration paths.
7. Reporting: executive summary, technical details per finding, CVSS 3.1 or 4.0 score, business impact, remediation steps, retesting plan.
8. Remediation and retest: developers fix the issues, the pentester verifies the fixes (often included in the engagement price).

Which standards and frameworks guide pentesting?

• OWASP Web Security Testing Guide (WSTG): open source checklist for web app testing, latest version 4.2 (2020) with 2025 update underway.
• OWASP API Security Top 10: 2023 edition covers Broken Object Level Authorization, Broken Authentication, Excessive Data Exposure, Rate Limiting, Mass Assignment.
• OWASP Mobile Security Testing Guide (MSTG) and MASVS.
• PTES (Penetration Testing Execution Standard): classic methodology document from 2014.
• NIST SP 800 115: official US guide for security testing.
• OSSTMM: Open Source Security Testing Methodology Manual by ISECOM.
• MITRE ATT&CK: knowledge base of attacker tactics and techniques, used to map findings to real world adversary behaviour.
• PCI DSS: Requirement 11.4 mandates an annual pentest for cardholder data environments.
• TIBER-EU: framework of the European Central Bank for threat intelligence based red teaming of banks.

What tools do pentesters use?

• Burp Suite by PortSwigger: the de facto web pentest proxy. Community (free) and Professional (449 USD per user per year as of 2025).
• OWASP ZAP: free open source alternative to Burp.
• Metasploit Framework: by Rapid7, exploit and post exploitation framework. Free open source.
• Nmap: network scanner.
• sqlmap: automatic SQL injection.
• Nuclei by ProjectDiscovery: fast template based vulnerability scanner.
• hashcat: GPU password cracker.
• BloodHound: Active Directory attack path analysis.
• Kali Linux and Parrot OS: Linux distributions preloaded with pentest tools.
• Cobalt Strike: commercial command and control framework used by red teams (and unfortunately by criminals).
• Wpscan: WordPress specific vulnerability scanner with plugin and theme CVE database.

What credentials prove a pentester is qualified?

• OSCP (Offensive Security Certified Professional): industry standard hands on certification by OffSec. 24 hour practical exam.
• OSCE3 (OSWE + OSEP + OSED): expert level OffSec.
• CRTO / CRTL: Red Team Operator certifications by Zero Point Security.
• CREST CRT and CCT: UK based, recognized by NCSC, used by CHECK and CBEST.
• PNPT (Practical Network Penetration Tester) by TCM Security.
• GPEN, GWAPT, GXPN by SANS GIAC.
• CEH (Certified Ethical Hacker) by EC-Council: theory heavy, often required by HR but less respected technically.
• OSCP, OSWE, OSEP for web and exploit development paths.

How is a WordPress pentest different?

A WordPress pentest focuses on:

• Plugin and theme CVEs via wpscan or Wordfence Threat Intelligence feed.
• Unauthenticated REST API endpoints (often leak user enumeration via /wp-json/wp/v2/users).
• XML-RPC abuse and brute force.
• Author archive enumeration via /?author=N.
• Backup files in webroot (wp-config.php.bak, .git, .env).
• Vulnerable file upload paths in plugins.
• SQL injection in custom plugins or themes.
• Stored XSS in comments, contact form fields, theme options.
• Missing 2FA and missing CSRF nonces.
• Weak password policy and shared admin accounts.

How do I prepare for a pentest?

1. Define a clear scope. Exclude third party services you do not control.
2. Provide test accounts with each user role, never production data.
3. Set up a staging environment that mirrors production but is isolated from live traffic.
4. Inform the SOC, IT, hosting provider and any WAF about the test window and source IPs.
5. Document known issues so the tester focuses on new findings.
6. Agree on a communication channel (Slack, Signal) for critical findings (immediate disclosure for criticals).
7. Plan budget for retest after fixes.

Bug Bounty as complement

A bug bounty program (HackerOne, Bugcrowd, Intigriti, YesWeHack, Open Bug Bounty for non commercial sites) opens the application to a global pool of researchers who get paid per valid finding. Bounty does NOT replace pentesting but complements it: pentest gives breadth on a deadline, bounty gives long tail discovery of edge cases. Bounty programs are also a legal safe harbor for researchers.

How does InspectWP fit into pentesting?

InspectWP performs automated reconnaissance and surface analysis: detection of WordPress version, plugins, themes, missing security headers, exposed sensitive files, weak TLS configuration, missing 2FA on the login page and lack of a WAF. It is not a substitute for a manual penetration test but provides the input a pentester needs at the start of an engagement, often saving the first day of reconnaissance.