Penetration Test

Penetration Testing Guide | Digital Interruption

So, you need a penetration test?

Penetration testing guide for buyers. Scan vs assessment vs pen test, what to use and when. Clear deliverables, fixed scope, free retest. Code and cloud reviews.

Updated November 2025

So, you think you might need a pen test? This penetration testing guide explains what to buy and when. “Pen test” gets used as a catch-all term, but there are a few different options that solve different problems. Here’s how they differ, when to use each, and what you’ll get from us.

What’s the difference between penetration testing and other security services?

  1. A vulnerability scan is automated.
  2. A vulnerability assessment is a human-led review that confirms and explains real risk.
  3. A penetration test is an assessment with proof, we chain issues and show impact.
  4. A code review looks for security issues in the source code before they ship.
  5. A cloud review checks identities, networks, storage and services for real attack paths.

Use this penetration testing guide to choose the right option.

How we work

We follow recognised methods like NIST (National Institute of Standards and Technology) 800-115 and OSSTMM (Open Source Security Testing Methodology Manual). We map findings to frameworks such as the OWASP ASVS (Open Worldwide Application Security Project Application Security Verification Standard) for apps. We handle your data safely, use credentials with care, keep copied data to a minimum, and delete it after the job’s complete. Our reports are risk-rated with clear fixes. We also include a free retest.

1. Vulnerability scan

What it is
A vulnerability scan is an automated check against your assets using reputable tooling. It’s fast and low effort to run.

When to use it
When you need hygiene and coverage, regular checks on a wide estate, or a quick sense check before deeper testing.

What you get from us
You’ll get a deduplicated scan report with fewer false positives, high-risk items called out in plain English, and simple next steps. We can schedule these monthly or quarterly to match your change windows.

Limitations
Scans don’t understand business context. They miss logic flaws, chained issues, and subtle access problems.

2. Vulnerability assessment

What it is
A vulnerability assessment is a human-led review of your targets. We validate and extend automated results, and we look for common weaknesses that tools miss.

When to use it
When you want depth quickly, for example ahead of a release or after a big change, and you need practical fixes without full exploit proof.

What you get from us
You’ll get a concise report that explains risk, impact, and how to fix. Clear screenshots where useful. A short readout to prioritise actions, and a retest where in scope.

Limitations
We don’t run full exploit chains here. If you need exploit proof and attack path detail, pick a penetration test.

3. Penetration test

What it is
A focused exercise to find and exploit weaknesses in scope, safely and under control. We chain multiple issues to show real-world impact, for example going from a minor misconfiguration to sensitive data access.

When to use it
You need assurance for a release, procurement, or compliance, and you want evidence beyond ‘it might be risky’. If you’re new to penetration testing, start with a small scope.

What you get from us
A risk-rated report with reproduced steps, impact, and fixes, plus attack path diagrams where relevant. A penetration testing report should show impact and fixes. A free retest of critical and high issues where scope allows.

Limitations
A pen test is a snapshot. It shows how things looked during the window, not forever.

4. Code review

What it is
A code review is a security review of your source code. We look for injection risks, unsafe session handling, authentication issues, insecure crypto usage, access control mistakes, and patterns that scanners miss.

When to use it
Before a release, when integrating new components, or when the same bugs keep reappearing and you want them fixed at the source.

What you get from us
Clear findings written for developers, minimal noise, examples of safer patterns, and targeted tests you can add to your pipeline. We can work alongside your engineering team if needed.

Limitations
Coverage depends on what’s in scope. If a module or repo isn’t included, issues there won’t be assessed.

5. Cloud review

What it is
We review your cloud setup the way an attacker would. We look at identity, access, network paths, storage exposure, and workload configuration to find where someone could get in or move further.

When to use it
After changes, before going live, or when multiple teams have touched cloud identity and network controls over time.

What you get from us
Clear risks tied to real attack paths. We cover identity posture, permissions creep, MFA and conditional access, legacy protocols, key and secret handling, perimeter exposure, and workload hardening. You get a prioritised fix plan and, where scope allows, a retest.

Limitations
This is configuration and architecture focused. If you also need exploit proof in running workloads, add a penetration test.

 

Choosing the right option

  • If you need quick coverage across lots of assets, start with scans and add a sample assessment to validate the results.
  • If you’re shipping a change or onboarding a new system, an assessment gives the fastest depth for the effort.
  • If a customer or regulator expects proof, or risk feels unclear, do a pen test.
  • If issues keep reappearing in code, add a code review.
  • If you use public cloud at scale, add a cloud review to close real attack paths.

 

Timing and pricing

Effort depends on scope, size, and complexity. Treat any numbers as indicative only. We’ll agree scope, set a start date that fits your change windows, and give you a fixed price before work begins.

What we need from you

Clear scope and targets, test data where possible, a named contact for questions, and a safe time window. If credentials are in scope, we’ll agree what accounts to use and how we’ll protect them.

Next steps

  • If you know what you need, talk to us about penetration testing, code review, or cloud review.
  • If you’re not sure, we’ll help you choose the right mix, and we’ll set a cadence that fits how you ship.
  • If you want regular hygiene, ask about managed scans with a short monthly review.

Related services

Penetration Testing Vulnerability Scanning | Code Review, | Cloud Review

FAQ

How long does a penetration test take?
Most small scopes take a few days of testing plus time for reporting. We’ll confirm the timeline in your scope.

Do you retest for free?
Yes, where scope allows. We retest critical and high-priority issues to confirm fixes.

Scan vs assessment, what’s the difference?
A scan is automated and wide. An assessment is human-led and deeper. We often use both, scans regularly and assessments or pen tests when you need proof.