What is a Penetration Test? Definition, Process, Costs and the Difference to Vulnerability Scanning

Firewall, SIEM, EDR – and still compromised. Why?

A mid-sized company invests six figures in IT security. Next-generation firewall, a SIEM processing logs around the clock, endpoint detection on every device. On paper: perfectly positioned. Six months later: ransomware in the network, three weeks of downtime, customer data gone.

What failed? Not the technology. The technology did exactly what it was configured to do. What nobody had ever tested: whether that configuration would actually hold up when someone actively and creatively works against it. A vulnerability scanner would not have found the misconfigured VPN rule, because it technically had no CVE. An automated tool would not have recognised the combination of a weak Active Directory and a forgotten contractor account as an attack path.

That is exactly the gap a penetration test closes.

What a penetration test really is – and what it is not

A penetration test is an authorised, controlled attack attempt against a system, network, application or physical infrastructure with the goal of identifying vulnerabilities and attack paths before a real attacker finds them.

That sounds straightforward. The precision lies in the details:

• Authorised: A written engagement agreement is not a formality – it is the legal foundation. Without it, the same actions constitute a criminal offence under § 202a StGB (unauthorised access to data) in Germany.
• Controlled: Scope, time windows and escalation paths are defined in advance. A pentest does not cause uncontrolled damage – that is a fundamental difference from a real attack.
• The goal is the attack path, not the list: The value of a pentest lies not in the number of vulnerabilities found, but in the answer to the question: how far can an attacker get by combining these vulnerabilities?

The most important difference – and why it matters for your budget

No term is more frequently confused in IT security. The difference is fundamental – and directly affects what you actually get for your security budget.

When to use which – an honest decision guide

Both methods are useful – but for different purposes. A vulnerability scanner is not a poor man's pentest, and a pentest is not a better vulnerability scanner. They answer different questions.

• Vulnerability Scan: Weekly or monthly as continuous monitoring. Quickly shows whether new known vulnerabilities have appeared in the infrastructure. Good for patch management and compliance reporting.
• Penetration test: Periodically, on specific occasions or as a regulatory requirement. Answers the deeper question: can someone actually break in – and how far do they get?

The full spectrum: not just networks

When people talk about a penetration test, most think of networks and servers. The spectrum is considerably broader – and depending on the threat model, entirely different test types may be relevant. All of our services can also be combined individually.

By target

• Network / Infrastructure Pentest: Network architecture, firewalls, routers, servers. The classic starting point.
• Web Application Pentest: Web applications against OWASP Top 10 and beyond – SQL injection, XSS, CSRF, business logic flaws.
• Active Directory / Entra ID Pentest: AD is the backbone of identity management in most organisations – and the most common target after initial access.
• Cloud Pentest: AWS, Azure, GCP – misconfigurations, IAM weaknesses, publicly exposed resources.
• Mobile Application Pentest: iOS and Android apps for insecure data storage, weak authentication and insecure API communication.
• Physical Pentest: Physical access controls, building security, hardware vulnerabilities. More in the perimeter security post.
• Social Engineering Pentest: Phishing, vishing, pretexting – the human as attack vector. How this looks in practice, using the MGM hack as an example.
• AI Pentest: AI systems tested for prompt injection, data leaks and manipulation – the emerging attack surface.

By information level: Black Box, Grey Box, White Box

Red Team Exercise vs. Penetration Test: where the line is

The second most common confusion after pentest and vulnerability scan. Both are legitimate security exercises – but with fundamental differences in scope, objective and insight.

The key difference: a penetration test answers "What vulnerabilities do we have?" A red team exercise answers "Would we notice a real attack – and could we stop it?" For NIS2 and KRITIS compliance, penetration tests are the direct evidence. For a mature security organisation wanting to test its detection capability, a red team exercise is the logical next step. Get in touch if you are planning a tailored red team simulation.

What happens during a penetration test – phase by phase

Many decision-makers hesitate to commission a pentest because they do not know what they are buying. Transparency about the process builds trust – and sets realistic expectations.

Where AI stands in pentesting – an honest assessment

Few topics are discussed more in the security industry right now, and few are assessed more poorly. The honest answer is nuanced: AI is changing penetration tests – it is not revolutionising them. For how we test AI systems themselves for vulnerabilities, see our AI Pentest module.

What AI can do today

What AI cannot do – and why that matters

What AI is changing on the attacker side – and why that matters for you

The other side of the AI equation is often forgotten: attackers are already using AI. Phishing emails have become linguistically flawless through LLMs – spelling mistakes as a detection signal are a thing of the past. Reconnaissance runs faster, code generation for exploits has a lower barrier to entry, and deepfake voices for vishing attacks are possible for under €200.

This means: the threat landscape is evolving faster than traditional security measures. A penetration test that does not account for how AI-assisted attackers operate today is no longer fully representative.

What to consider legally – short and clear

Many decision-makers have legal concerns about commissioning a pentest. Those are understandable – but fully resolvable with the right framework.

• § 202a StGB – Unauthorised access to data: A penetration test without a written agreement is legally indistinguishable from an attack. The engagement letter is not bureaucracy – it is legal protection for both parties.
• Scope definition as protection: What is explicitly in scope is authorised. What is not is not. A clear scope means clear legal standing – even if a tester inadvertently touches third-party systems.
• Third-party and cloud systems: AWS, Azure and other cloud providers have their own penetration testing policies. Systems you do not own require separate authorisation.
• NIS2 and KRITIS as legal trigger: For companies under NIS2 or the KRITIS umbrella law, a documented pentest is no longer optional. What that means in practice is covered in the compliance post.

Concrete triggers – for decision-makers still on the fence

Costs put honestly – no price list, but real reference points

The most-searched topic that almost no provider answers honestly. No serious pentest has a fixed price, because the effort depends on too many variables. But reference points are possible – and fair. After a free initial call, you will receive a transparent fixed-price proposal from us.

Factor	Higher effort when...	Lower effort when...
Scope	Entire infrastructure, multiple sites, cloud + on-premise	Clearly bounded single application
Information level	Black Box – tester has to discover everything independently	White Box – architecture and code are known
Test depth	Post-exploitation, lateral movement, privilege escalation	Surface-level scanning without manual exploitation
Test type	Physical + Social Engineering + Network combined	Single test type, clearly defined
Report depth	Executive summary + technical report + presentation + retest	Technical report without retest
Time pressure	Short-notice engagement, evening or weekend work required	Plannable engagement with sufficient lead time

Conclusion: a penetration test is not a cost factor – it is an investment with measurable return

Implementing security measures is the first step. Knowing whether they hold up is the second – and in practice, that step is skipped surprisingly often. A penetration test closes this gap: it delivers an empirical assessment of the actual security posture, prioritises investments and, for NIS2- and KRITIS-obligated organisations, is the most direct route to regulatory evidence.

The question is not whether you need a penetration test. The question is whether you want to know what an attacker can do with your current infrastructure – before they find out themselves. Browse our full blog archive for further insights into specific attack vectors and security topics.