Penetrationstest (Pentest)
A penetration test is an authorized security test in which experts simulate real-world cyberattacks to identify vulnerabilities in IT systems, networks, or applications.
Table of Contents (9 sections)
A penetration test—also known as a pentest or ethical hacking—is a systematic, authorized attack on an IT system or organization with the aim of identifying security vulnerabilities that could be exploited by malicious attackers. It differs fundamentally from an automated vulnerability scan in its use of human creativity, contextual analysis, and multi-stage attack chains.
Definition and Legal Framework
A penetration test is permitted exclusively with the written authorization of the system owner. Without authorization, such tests are considered computer sabotage and data espionage under Sections 202a and 303b of the German Criminal Code (StGB). The written mandate also specifies the scope of the test, the methods to be used, and the timeframe.
Legally compliant penetration tests follow a so-called Rules of Engagement—a document that specifies the following:
- Which systems and IP ranges may be tested
- Which attack methods are prohibited (e.g., denial-of-service)
- Who must be notified in the event of a security-related incident during the test
- How to handle any access credentials or sensitive data discovered
Methods and Approaches
Black-Box Testing
The tester receives no prior information about the target system—they act like an external attacker. This method tests the actual attack surface but is more time-consuming and may not fully cover internal vulnerabilities.
Grey-Box Testing
Partial Knowledge: The tester knows, for example, the network architecture but does not have privileged credentials. This approach simulates a compromised employee account or an attacker with insider information.
White-Box Testing
Full transparency: The tester is granted access to source code, network diagrams, credentials, and configuration files. Ideal for in-depth code reviews and verifying implementation security.
Process According to PTES
The Penetration Testing Execution Standard (PTES) defines seven phases:
1. Pre-Engagement Interactions
Clarification of the assignment, scope definition, contract conclusion, and establishment of the Rules of Engagement. Critical: a complete IP list of all test objects and emergency contacts on the client side.
2. Intelligence Gathering (Reconnaissance)
OSINT phase: The tester gathers publicly available information—DNS entries, WHOIS data, LinkedIn profiles, job postings (which often reveal technologies), certificates, GitHub repositories, and historical web snapshots. Professional attackers spend up to 70% of their time on this.
3. Threat Modeling
Based on the information gathered, the tester develops a threat model: Which attack vectors are realistic? Which assets are the most likely targets? Which combination of vulnerabilities causes the greatest damage?
4. Vulnerability Analysis
A combination of automated scanners (Nessus, OpenVAS) and manual analysis. Each potential vulnerability is categorized but not yet exploited.
5. Exploitation
The core phase: controlled exploitation of confirmed vulnerabilities. The goal is to demonstrate exploitability, not to cause maximum damage. Typical actions: gaining shell access, privilege escalation, lateral movement within the network.
6. Post-Exploitation
Demonstration of actual damage potential: Can the attacker exfiltrate sensitive data? Establish persistence? Delete backups? This step is crucial for risk assessment.
7. Reporting
The heart of every professional penetration test. The report includes:
- Management Summary: Overall risk assessment, critical findings in plain language
- Technical Details: Reproduction steps, evidence (screenshots, PoC code), severity according to CVSS
- Recommendations for Action: Concrete, prioritized measures with effort estimates
- Retesting Plan: Which findings need to be retested after remediation?
CVSS Assessment of Findings
Each finding is assessed according to the Common Vulnerability Scoring System (CVSS). The scale ranges from 0 to 10:
| Score | Severity | Action Required |
|---|---|---|
| 9.0-10.0 | Critical | Immediate patch deployment |
| 7.0-8.9 | High | Resolution within 72 hours |
| 4.0-6.9 | Medium | Resolution within 30 days |
| 0.1-3.9 | Low | Resolution in the next release |
Penetration Testing vs. Vulnerability Scanning
| Feature | Vulnerability Scanning | Penetration Testing |
|---|---|---|
| Execution | Automated | Manual + automated |
| Exploitation | No | Yes (controlled) |
| Context Analysis | No | Yes |
| Attack Chains | No | Yes |
| Duration | 1–4 hours | 3–20 days |
| Cost | €500–€2,000 | €5,000–€50,000+ |
| Evidence Value | Low | High |
Types of Penetration Tests
- Web Application Penetration Test: Focus on OWASP Top 10, business logic flaws, API vulnerabilities
- Network Penetration Test: Infrastructure analysis, Active Directory attacks, segmentation testing
- Social Engineering / Phishing: Human vulnerability as an attack vector
- Physical Penetration Test: Physical security measures, tailgating, badge cloning
- Red Team Exercise: Comprehensive simulation of an APT group, including C2 infrastructure and OPSEC
- Cloud Penetration Test: AWS/Azure/GCP-specific misconfigurations, IAM misuse
- Mobile App Test: Android/iOS applications, backend API, data storage
Frequency and Triggers
The BSI recommends penetration tests at least once a year, as well as following significant changes to the IT infrastructure. Additionally, the following situations require a test:
- Launch of new applications or APIs
- Migration to cloud infrastructure
- Mergers and acquisitions (M&A; due diligence)
- Prior to ISO 27001 certification
- Following a security incident (post-incident test)
- Requirements from customers, partners, or regulations (NIS2, PCI DSS, DORA)
Costs and Effort
Costs depend on scope and complexity:
- Web application (small): starting at €5,000
- Web application (medium, with API): €8,000–€15,000
- Network infrastructure (SME): €10,000–€25,000
- Red Team Exercise (Enterprise): starting at €30,000
- Full-year support (AWARE7 Scan Retainer): Starting at €2,990/month
Penetration Tester Certifications
Reputable penetration testers hold the following certifications:
- OSCP (Offensive Security Certified Professional): 24-hour hands-on exam
- OSCE3 (Offensive Security Experienced Expert): Advanced exploit development
- CEH (Certified Ethical Hacker): Theory-based
- GPEN (GIAC Penetration Tester): SANS certification
Further information: Our penetration testing services
Sources & References
- [1] BSI-Leitfaden für Penetrationstests - Bundesamt für Sicherheit in der Informationstechnik
- [2] Penetration Testing Execution Standard (PTES) - PTES Technical Guidelines
- [3] OWASP Testing Guide v4.2 - OWASP Foundation
Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
M.Sc. IT-Sicherheit mit über 5 Jahren Erfahrung in offensiver Sicherheitsanalyse. Leitet die Durchführung von Penetrationstests mit Spezialisierung auf Web-Applikationen, Netzwerk-Infrastruktur, Reverse Engineering und Hardware-Sicherheit. Verantwortlich für mehrere Responsible Disclosures.
