Penetration testing · the case for it

Why you need a penetration test.

Untested security is a belief, not a fact. Which parts hold and which don’t, you only find out when an auditor, a customer, or a real breach decides for you. Here’s the case for finding out first.

The short answer

A clean scan is not a clean bill of health.

Your tools coming back green tells you the issues they recognise are patched, not that an attacker can’t get in. Modern estates are complex, change constantly, and hold data worth stealing. The only way to know what someone could actually reach is to have someone try. That’s what a penetration test is for.

Five reasons it’s worth it

What a pen test buys you.

01

Find it before they do

The whole point: surface the weaknesses a real attacker would use, and fix them while they’re a line item, not a breach. You stay ahead of the people trying to get in.

02

Protect your reputation

A single breach can undo years of trust. Regular testing, and being able to say you do it, reassures customers, partners and the market that their data is in safe hands.

03

Meet the requirement

GDPR, HIPAA, PCI-DSS, SOC 2, ISO 27001 and more expect you to test your security; some demand it outright. A real test clears the requirement and proves the point.

04

Save what a breach costs

A test is a fraction of an incident. The average data breach cost USD 4.45M in 2023, before the lost business and the legal bills. Testing is cheap by comparison.

05

Sharpen your team

A pen test exposes gaps in systems, processes and people. Phishing and social-engineering results feed straight into awareness training, where it actually changes behaviour.

When to test

Not once, and not never.

A pen test is a snapshot — valuable, but stale the moment your environment moves. The teams that get the most from it test at the moments that matter, and on a regular rhythm.

  • Before you ship

    A new product, a migration, a big release. Test it before it’s live and carrying real data.

  • When something changes

    New infrastructure, a cloud move, a merger. Change is where new exposure creeps in.

  • When you’re asked

    An auditor, a customer or a regulator wants a current, independent test, not last year’s report.

  • On a regular cadence

    Quarterly or annually, so coverage keeps pace with an estate that never stops moving.

  • After an incident

    A breach or a near-miss is the moment to find out what else they could reach.

$4.45M

The breach is the expensive way to find out.

The average cost of a data breach in 2023, and that’s before the lost customers, the regulatory fines, and the months of clean-up. A penetration test costs a tiny fraction of it. Testing isn’t the expense; the breach you didn’t test for is.

Figure: IBM Cost of a Data Breach Report, 2023.

Where it’s required

The standards that expect a pen test.

For many organisations, testing is mandatory, written into the frameworks they’re held to. Some expect it; some demand it by name.

  • PCI-DSS Mandatory for anyone handling card payments: penetration testing at least annually and after significant change.
  • SOC 2 Auditors expect evidence of regular testing as part of demonstrating strong security controls.
  • ISO 27001 Expects technical vulnerability assessment and testing within a managed security programme.
  • HIPAA Healthcare data demands regular risk assessment; a pen test is the practical way to evidence it.
  • GDPR Requires “appropriate technical measures”, and regular testing of how well they actually work.
  • DORA For EU financial firms, advanced threat-led testing is now a legal requirement. Threat-led testing & DORA →
Scope a test