In This Guide
A vulnerability scanner finds that your server runs OpenSSL 3.0.7 (known CVE). A penetration tester chains that with a misconfigured CORS policy, an IDOR in your API, and a password reset flaw to demonstrate full account takeover of any user — including your admin. That's the difference between automated scanning and penetration testing: context, creativity, and the ability to think like an attacker.
1. What Penetration Testing Is (and What It Isn't)
| Vulnerability Scan | Penetration Test | Red Team Exercise | |
|---|---|---|---|
| Approach | Automated tool scans for known CVEs | Human tester exploits vulnerabilities in scope | Team simulates realistic attack scenario |
| Duration | Hours | 1-3 weeks | 2-6 weeks |
| Cost | $500-5K/year (tool license) | $5K-50K per engagement | $30K-150K+ |
| False Positives | High — flags everything, many not exploitable | Low — tester verifies exploitation | None — demonstrates real attack paths |
| Best For | Continuous baseline scanning | Finding exploitable vulnerabilities before attackers | Testing detection and response capabilities |
You need all three, at different frequencies. Vulnerability scanning runs continuously (see our DevSecOps guide). Pentests happen annually or after major changes. Red team exercises are for mature organizations that want to test their detection and response.
2. Types of Penetration Tests
| Type | Scope | Typical Cost | When to Do It |
|---|---|---|---|
| Web Application | OWASP Top 10, auth flaws, business logic, API security | $5K-25K | Before launch, annually, after major features |
| API | BOLA, auth bypass, rate limiting, injection, business logic | $5K-20K | Before public API launch, after API changes |
| Mobile Application | Insecure storage, certificate pinning, API calls, binary protections | $8K-30K | Before app store submission, annually |
| Network / Infrastructure | External surface, internal network, cloud config | $10K-40K | Annually, after infrastructure changes |
| Cloud Configuration | IAM, storage, network, secrets, logging across AWS/Azure/GCP | $8K-25K | After cloud migration, annually |
| Social Engineering | Phishing simulations, pretexting, physical access | $5K-20K | Annually, as part of security awareness |
For most SaaS companies, start with web application + API pentesting. That's where your customers' data lives and where attackers focus. Add cloud configuration review if you manage your own infrastructure. Add network testing if you have on-premise servers or VPN infrastructure.
3. How a Pentest Works — The Methodology
Professional pentesters follow structured methodologies (PTES, OWASP Testing Guide, NIST SP 800-115). Here's what the engagement looks like in practice:
| Phase | Duration | What Happens | Your Involvement |
|---|---|---|---|
| 1. Scoping | 1-3 days | Define scope, rules of engagement, test accounts, environments | High — you define what's in/out |
| 2. Reconnaissance | 1-2 days | Map the application, discover endpoints, understand business logic | None — tester explores independently |
| 3. Testing | 5-15 days | Attempt exploitation, chain vulnerabilities, test business logic | Standby — answer questions, provide access if needed |
| 4. Reporting | 3-5 days | Document findings, risk ratings, proof of exploitation, remediation guidance | Review draft report, ask clarifying questions |
| 5. Remediation & Retest | 1-2 days | Tester verifies that critical/high findings are fixed | You fix vulnerabilities, tester retests |
Black Box vs Gray Box vs White Box
| Approach | Tester Knowledge | Pros | Cons |
|---|---|---|---|
| Black Box | No access, no docs, simulates external attacker | Realistic attack simulation | Wastes time on recon, misses internal issues |
| Gray Box | Test accounts, API docs, architecture overview | Best coverage per dollar, efficient | Less realistic than black box |
| White Box | Full source code access, architecture docs, DB schemas | Maximum depth, finds subtle bugs | Expensive, requires code review skills |
Our recommendation: gray box for most engagements. Give the tester user accounts (regular + admin), API documentation, and a high-level architecture overview. They spend time finding real vulnerabilities instead of discovering features. Black box pentests often produce findings like "I found the login page" and "the API returns version headers" — not the deep business logic bugs that actually matter.
4. Scoping — Getting the Most Value
Bad scoping is the #1 reason pentests underdeliver. Be specific about what you want tested and what's most critical.
Scoping checklist:
- Targets: Specific domains, IP ranges, API endpoints, mobile apps
- Exclusions: Third-party services, production databases with real data, specific functionality
- Test accounts: Provide accounts at each role level (user, admin, etc.)
- Environment: Staging (recommended) or production with specific hours
- Focus areas: "We just rebuilt authentication" or "the payment flow is critical"
- Rules of engagement: Can they social engineer employees? Can they DoS test?
Tell the pentester what you're worried about. "We rebuilt our auth system last month" is valuable context. "Our API handles financial transactions for 50K users" helps them prioritize. The best pentest reports come from engagements where the tester understood the business context — not just the technical surface. Also: always include your API in scope. We've seen companies pentest their web app thoroughly while their API (same backend, same data) went untested. See our API security guide for what to watch for.
5. Choosing a Penetration Testing Provider
| Factor | What to Look For | Red Flag |
|---|---|---|
| Methodology | OWASP Testing Guide, PTES, custom methodology documented | "We just run Burp Suite and Nessus" |
| Tester Credentials | OSCP, OSCE, GXPN, or equivalent + experience | Won't tell you who's doing the actual testing |
| Report Quality | Ask for a sample report — clear risk ratings, proof of exploitation, remediation advice | Reports that are just Nessus output repackaged |
| Communication | Daily status updates, immediate notification for critical findings | Radio silence for 2 weeks then a report dump |
| Retest Included | Free retest of critical/high findings within 30-60 days | Charges full price for retest |
Budget tip: A good pentester costs $150-300/hour. A 5-day web app pentest = ~$5K-15K. Cheaper isn't better — a $2K "pentest" is usually just a Nessus scan with a nice cover page. More expensive doesn't guarantee better either — ask for a sample report and references.
6. After the Pentest — Making Findings Actionable
A pentest report is worthless if findings don't get fixed. Here's how to handle the report:
| Severity | Fix SLA | Action |
|---|---|---|
| Critical | 48 hours | Drop current sprint work. Apply hotfix. Emergency deploy. |
| High | 1 week | Top priority in next sprint. No exceptions. |
| Medium | 30 days | Schedule in upcoming sprint. Track in issue tracker. |
| Low / Informational | 90 days | Add to security backlog. Fix opportunistically. |
Request a retest after fixing critical and high findings. The retest verifies the fix and gives you a clean report — which is what you share with enterprise customers and SOC 2 auditors. A pentest report with "0 critical, 0 high findings after remediation" is much more compelling than one with open issues.
7. Frequently Asked Questions
How often should we pentest?
Annually at minimum — most compliance frameworks (SOC 2, PCI DSS, ISO 27001) require it. Additionally after major releases, architecture changes, or new features that handle sensitive data. Some companies pentest quarterly for their most critical applications. For continuous testing between annual pentests, consider bug bounty programs through HackerOne or Bugcrowd.
Should we pentest production or staging?
Staging with production-like configuration is ideal. Production testing risks disruption and raises data privacy concerns (the tester sees real user data). If you must test production, set specific testing windows, use a dedicated test tenant/organization, and ensure the tester has a way to reach you immediately if something breaks. Never pentest production without a rollback plan.
Can we do penetration testing in-house?
For compliance, you generally need an independent third party. For continuous security testing between formal engagements, in-house skills are valuable. Train developers to think like attackers using OWASP WebGoat, HackTheBox, or PortSwigger Web Security Academy. But an external pentester brings fresh eyes and specialized skills that your team — who built the system — won't have.
What about bug bounty programs vs pentests?
They're complementary, not alternatives. Pentests provide structured, time-bound assessments with guaranteed coverage. Bug bounties provide continuous, crowd-sourced testing with pay-per-finding. Start with pentesting to establish a security baseline. Add bug bounties when your application is mature enough that low-hanging fruit is already fixed — otherwise you'll pay bounties for issues a pentest would have caught in one engagement.
Pillai Infotech LLP
We help companies scope, manage, and act on penetration testing engagements — from provider selection to remediation of findings. Let's assess your security.