Penetration Testing Services - Corsica Technologies

Penetration Testing Services 101

Originally published March 6, 2025. Completely refreshed July 1, 2026.

Are you easy to hack?

That’s the uncomfortable question every organization should be able to answer—and most can’t. You’ve invested in firewalls, endpoint protection, and maybe a SOC. But do you actually know whether an attacker could get in? And if they did, how far they’d get?

Penetration testing is how you find out. This guide walks through what a penetration test is, the different types, exactly how the process works, and how to prepare for one—so you know what you’re buying before you ever pick up the phone.

Key takeaways:

  • Penetration testing is an active security exercise where ethical hackers try to breach your systems the way real attackers would—not just scan for weaknesses.
  • It’s different from a vulnerability scan. A scan finds potential problems automatically; a pentest proves which ones an attacker could actually exploit.
  • There are several types, organized by what’s being tested (network, web app, cloud, mobile, physical) and by how much the tester knows going in (black, grey, or white box).
  • A standard pentest follows six phases, from scoping to a final report with a remediation plan.
  • Preparation matters. Defining scope, looping in your IT team, and prepping the environment are what separate a useful test from a wasted one.

Table of Contents

💡 EXCLUSIVE Resource: 

Sample Pentest Report

What is penetration testing?

Penetration testing (or “pen testing”) is a cybersecurity exercise in which authorized experts, known as ethical hackers, deliberately try to breach your systems to find and exploit weaknesses. The process reveals weaknesses that an organization wouldn’t have discovered before a breach. Consequently, the findings of a penetration test are often used to determine both short-term and long-term cybersecurity priorities.

Theoretically, your own team could test your defenses, but there’s a catch. If the same people who designed and maintain your network are the ones grading it, you’ve built a conflict of interest into the exercise. Do your engineers really want to find flaws in their own work? That’s exactly why most organizations bring in an independent party—and why penetration testing exists as a distinct discipline.

Why penetration testing matters

Point solutions in cybersecurity tell you what should be protected. A penetration test tells you whether a system is actually protected. Short of a real breach, a penetration test is often the only way to see how your defenses hold up against a determined human attacker who can chain together several small weaknesses into a full compromise.

Note that major compliance frameworks have come to require penetration testing. Frameworks and mandates like PCI DSS, HIPAA, SOC 2, ISO 27001, and CMMC either require or strongly expect regular penetration testing. (To see how testing maps to a specific framework, explore Corsica’s IT compliance services.)

Pen testing vs vulnerability scanning

Penetration testing vs. vulnerability scanning

If you already run vulnerability scans, you might wonder whether a pentest is the same thing. It isn’t. Both deal with network security, but each one answers different questions.

Comparison chart: Pentesting vs. vulnerability scanning

 

Vulnerability scanning

Penetration testing

Approach

Passive—identifies known weaknesses

Active—attempts to exploit weaknesses

Performed by

Automated software

Human ethical hackers (using tools)

What it reveals

Potential entry points

Proven, real-world entry points

Chained attacks

Can’t combine multiple flaws

Chains weaknesses together like a real attacker

Judgment

Limited to its rules and signatures

Applies human intuition and problem-solving

Output

A list of detected vulnerabilities

A report of what was actually exploited—and how

Here’s the short version. Vulnerability scanning is about finding weaknesses. Penetration testing is about proving how an attacker could use them against you. A scanner can flag ten open issues, but a pentester can show that two of them, combined, would hand over your domain controller. That difference is critical.

Where vulnerability assessments fit in (VAPT)

You’ll often see the two paired together as “vulnerability assessment and penetration testing,” or VAPT. A vulnerability assessment casts a wide net to catalog as many issues as possible; a penetration test goes deep on the ones that matter, validating real impact. Many organizations run frequent automated assessments and layer periodic penetration tests on top—broad coverage plus proven depth.

Network penetration testing - On premises systems - Corsica Technologies

Types of penetration testing

There’s no single, basic type of penetration test. There are multiple types, and the right one depends on what you’re trying to protect. It helps to think in two dimensions: what is being tested, and how much the tester knows going in.

Types of penetrating testing by target

Type

What it tests

When you need it

External network

Internet-facing systems, from an attacker’s outside starting point

Measuring your first line of defense—can someone get in at all?

Internal network

Lateral movement once inside your perimeter

Understanding the damage an attacker (or malicious insider) could do after a foothold

Web application

Custom and third-party web apps

You build, sell, or heavily rely on web software

Cloud

AWS, Azure, GCP configurations and workloads

Misconfigurations and unmanaged attack surface in cloud environments

Mobile application

iOS/Android apps, their APIs and storage

You publish mobile apps or handle sensitive data on them

API

Authentication, authorization, and logic of your APIs

APIs expose business logic and data directly to the internet

Wireless

Wi-Fi networks and access controls

Physical-proximity attacks and rogue access points are a concern

Social engineering

Your people—via phishing, pretexting, and more

Testing human defenses, not just technical ones

Physical

Locks, badge access, and on-site controls

Attackers who try to walk in, not just log in

External vs. internal network testing is the distinction most people ask about. External testing starts from nothing but an internet connection and replicates the scenario most attackers face—can they breach the perimeter? Internal testing starts inside the network and reveals how far an attacker can move laterally once they’re in. An internal test can follow an external one or run on its own. Findings frequently point toward controls like a Zero Trust framework.

For cloud systems specifically, factors like unmanaged attack surface, human error, and misconfiguration drive most exposure, as CrowdStrike notes. Web application testing typically follows the OWASP Web Security Testing Guide, targeting issues like injection attacks, security misconfiguration, and outdated components.

Types by level of access: black, grey, and white box

The other lens is how much information the tester starts with. This is where the terms “black box,” “grey box,” and “white box” come in—terms you’ll see in nearly every scope conversation.

Approach

Tester’s starting knowledge

Simulates

Best for

Black box

None—no access, no documentation

An external attacker starting from scratch

Realistic, adversary’s-eye view of your perimeter

Grey box

Partial—e.g., a standard user login or basic architecture

An attacker who’s gained a foothold, or a malicious insider

Balancing realism with efficient coverage

White box

Full—architecture, credentials, sometimes source code

A worst-case insider, or a thorough audit

Deep, exhaustive review of a critical system

There’s no universally best option for all scenarios. Black box is the most realistic but can miss issues buried deep in a system. White box is the most thorough but less representative of a typical external attack. Grey box splits the difference, which is why it’s a common default for mid-market environments.

Pen testing services company | Benefits | Corsica Technologies

The penetration testing process: 6 steps

Different providers use different methodologies—often mapping to recognized standards like NIST SP 800-115 or the Penetration Testing Execution Standard (PTES). Your provider should be able to explain theirs. That said, nearly every pentest moves through the same six phases.

  1. Planning and scoping. You and the provider define objectives, targets, rules of engagement, and what success looks like. This is where you decide black/grey/white box, in-scope systems, and testing windows. Skimp here and the whole test suffers.
  2. Reconnaissance (intelligence gathering). Just like a real attacker, the tester gathers publicly available information and maps your attack surface—everything internet-facing that could be a way in.
  3. Scanning and enumeration. The tester sweeps for live hosts, open ports, and running services, then catalogs them. Every service is a potential door, so thoroughness is everything.
  4. Exploitation. Now the actual hacking begins. Testers attempt to exploit the weaknesses they’ve found—and chain them together—to breach systems, escalate privileges, and prove real impact. Everything is logged.
  5. Post-exploitation and lateral movement. Once inside, how far can they go? This phase measures what an attacker could actually reach: sensitive data, additional systems, domain-level control.
  6. Reporting and remediation. The test is only as valuable as what you do next. A good provider delivers a plain-language executive summary and a technical report with a prioritized remediation plan—then, ideally, retests once fixes are in place.

What’s included in a penetration testing report?

A penetration testing report is the most crucial deliverable that comes out of the process. It should include:

  • An executive summary in plain language, so non-technical stakeholders understand the risk and the business impact.
  • A technical findings section, detailing each vulnerability, how it was exploited, and the evidence.
  • Risk ratings that prioritize findings by severity and exploitability, so you know what to fix first.
  • A remediation plan—specific, actionable steps to close each gap.
  • A retest to confirm the fixes actually worked.

Curious what that looks like in practice? Check out our sample penetration testing report.

How to prepare for a penetration test

Setting up a pentest isn’t as simple as picking a date. A little preparation is what separates a high-value engagement from a wasted one.

  1. Define your objective, scope, and measure of success. Are you worried about external exposure? Internal lateral movement? A specific cloud system? Get specific—your goals determine the type of test you need.
  2. Bring in your IT team early. Whether it’s internal staff, an MSP, or both, your admins need to know a test is coming. They’re also ideal partners for vetting providers.
  3. Choose a qualified provider. Vet the experience of the actual ethical hackers, confirm they know your systems, and make sure they deliver clear remediation guidance—not just a raw findings dump.
  4. Schedule the test. In most cases, business-hours testing is perfectly sufficient (and cheaper). Off-hours testing is rarely necessary. Discuss it with your provider if you have concerns about server load.
  5. Prepare your environment. Back up essential data. Consider testing against a mirror of production. For internal tests, set up any accounts or credentials the testers will need.
  6. Whitelist the testers’ IP addresses. This step is easy to overlook, and it keeps testing day running smoothly.
  7. Establish communication protocols. Designate a point of contact on your side, and agree on how and when the teams will check in.
  8. Decide whether to tell your broader team. Keeping the test quiet lets you measure your team’s response, but it requires careful planning and a clear point at which to inform staff.

How often should you run penetration testing?

The traditional answer is at least annually and after any significant change to your environment, such as a new application, a major infrastructure shift, or a merger. Many compliance frameworks set a similar cadence.

But point-in-time testing has a limitation. It’s only a snapshot. The day after your test, a new vulnerability or misconfiguration could appear. That’s why two approaches have gained traction:

  • Continuous penetration testing runs testing on an ongoing basis rather than once a year, catching new exposures as environments change.
  • Automated penetration testing and penetration-testing-as-a-service (PTaaS) platforms blend automation with human expertise to test more frequently and cost-effectively.

Automation is a powerful complement, but it doesn’t replace skilled human testers. The creativity to chain unrelated weaknesses into a real attack is still, for now, a human strength. The best programs combine frequent automated coverage with periodic human testing led by experts.

Frequently asked questions

Is penetration testing the same as ethical hacking?

Penetration testing and ethical hacking are closely related. Ethical hacking is the broad practice of legally probing systems for weaknesses, while a penetration test is a specific, scoped engagement that applies those skills to a defined target with clear rules and a formal report.

How is a penetration test different from a vulnerability scan?

A vulnerability scan is an automated tool that lists potential weaknesses. A penetration test uses human experts to exploit those weaknesses, proving which ones an attacker could actually use and how far they would get.

How long does a penetration test take?

The length of a penetration test depends on the scope of the engagement. A focused external network test might take several days. A large, multi-target engagement can run for several weeks. Scoping in the planning phase will determine the timeline.

Do you need to test during off-hours?

It’s rarely necessary to run a penetration test in off-hours. Testing during business hours is usually sufficient, not to mention less expensive. Modern vulnerability scanning doesn’t typically overload a healthy server, and if it does, that’s a finding worth knowing. Ethical hackers won’t launch DDoS (distributed denial-of-service) attacks or hold your data for ransom; their goal is to get in, not take you down.

Can our internal team run a penetration test?

Theoretically, yes. If your team has the expertise, they can run a penetration test themselves. But if they built and maintain the environment, they have an inherent conflict of interest in grading it. An independent tester delivers a more objective, credible result.

How much does a penetration test cost?

Cost varies with the type of test, the size of the environment, and depth of scope. Here’s a consolidated breakdown. Ranges reflect boutique/mid-tier providers. Note that freelancers typically run lower and Big-4 firms typically higher.

Penetration test type

Typical 2026 range (US)

Main cost drivers

External network

$5,000–$20,000

Number of internet-facing IPs/hosts; roughly $5K–$10K for up to ~25 IPs, scaling past $15K–$30K for 50+ IPs

Internal network

$7,000–$35,000

Lateral-movement/AD complexity, segmentation, number of hosts

Web application

$5,000–$50,000

App complexity — a brochure site vs. a multi-tenant SaaS with roles, APIs, SSO, and payment flows; a typical mid-tier web app test runs $8,000–$25,000

API

$4,000–$20,000

Endpoint count, auth model, business-logic depth, data sensitivity

Cloud (AWS/Azure/GCP)

$10,000–$40,000

IAM policies, service accounts, storage exposure, cross-account trust, architectural complexity

Mobile application

$5,000–$30,000

Priced roughly per platform (iOS/Android); reverse engineering and backend API review add cost

Social engineering / phishing

$3,000–$12,000

Realistic lure development and behavioral analysis

Physical

$5,000–$30,000

Usually requires on-site presence and travel; lower-confidence range with less published data

Wireless

~$4,000–$15,000 (estimate)

Sparsely published; scales with number of SSIDs/sites. Treat as directional

IoT / embedded

$15,000–$50,000+

Hardware teardown, firmware analysis, embedded evaluation

Red team engagement

$30,000–$150,000+

Multi-vector, objective-based simulation over weeks; senior/specialized talent

 

How often should we get a penetration test?

At minimum, annually and after any major change to your systems. Regulated organizations may need more frequent testing. Many companies now supplement their required annual tests with continuous or automated testing between engagements.

The takeaway: Don’t wait to test your defenses

If it’s been a while since your last penetration test—or you’ve never run one—it’s time to find out how strong your defenses really are. A pentest can genuinely save your organization from a breach by surfacing weaknesses before criminals exploit them. Contact us today, and let’s take your next step with penetration testing that’s designed for your environment.

Related posts

Ross Filipek is Corsica Technologies’ CISO. He has more than 20 years’ experience in the managed cyber security services industry as both an engineer and a consultant. In addition to leading Corsica’s efforts to manage cyber risk, he provides vCISO consulting services for many of Corsica’s clients. Ross has achieved recognition as a Cisco Certified Internetwork Expert (CCIE #18994; Security track) and an ISC2 Certified Information Systems Security Professional (CISSP). He has also earned an MBA degree from the University of Notre Dame.

Ready to take your next step?

Contact us today to get the outside perspective you need for the next step on your journey.

Contact Us Now →

Moving forward with AI- Corsica Technologies

Table of Contents

💡 EXCLUSIVE Resource: 

Sample Pentest Report

Ready to talk to an expert?

We’ll respond within 1 business day, or you can grab time on our calendar.