Penetration testing is a simulated cyberattack against your own systems, conducted by security professionals who use the same tools and techniques as real attackers to find exploitable weaknesses before criminals do. The same discipline scales across targets: network infrastructure, a customer-facing website, or a mobile application penetration testing engagement all follow the same core methodology, just against a different attack surface. A typical engagement runs one to three weeks, costs anywhere from $5,000 for a small web app to $150,000+ for a multi-network enterprise assessment, and ends with a report ranking findings by exploitability and business impact. Penetration testing is not the same as a vulnerability scan: a scanner flags a CVE exists, a pen tester proves whether it can actually be chained into a working exploit. Regulations like PCI DSS 4.0 (Requirement 11.4) and frameworks referenced in SOC 2 audits explicitly call for periodic penetration testing, which is why it remains a fixture in security programs even as automated tooling has matured. Below, we break down what a pen test actually involves, how it differs from adjacent practices, and where it fits alongside modern software supply chain security tooling.
What is penetration testing?
Penetration testing is an authorized, time-boxed simulated attack on an application, network, or organization, performed to identify security weaknesses that could be exploited by a real adversary. Unlike passive assessments, a pen test actively exploits vulnerabilities to demonstrate real-world impact — for example, chaining an exposed .git directory with a hardcoded database credential to achieve full data exfiltration, rather than just reporting "credentials found in source code." The practice dates back to the 1960s, when the RAND Corporation and U.S. Air Force ran "tiger team" exercises against early computer systems, but it formalized into a commercial discipline in the 1990s alongside standards like the Open Source Security Testing Methodology Manual (OSSTMM, first published 2000) and the Penetration Testing Execution Standard (PTES, 2014). Today, engagements are typically scoped against frameworks such as NIST SP 800-115 or the OWASP Testing Guide, and testers hold certifications like OSCP, CEH, or CREST to demonstrate methodology competence to clients and auditors.
How is penetration testing different from a vulnerability scan?
Penetration testing differs from vulnerability scanning in that a scan identifies potential issues automatically while a pen test manually validates and exploits them to prove real impact. That distinction is exactly what the dast vs penetration testing question comes down to: dynamic application security testing (DAST) tools run continuously and flag suspicious behavior at runtime, but they don't have a human deciding whether a finding is actually exploitable in your specific environment the way a pen tester does. A vulnerability scanner like Nessus or Qualys might flag 200 findings in a network sweep, many of them false positives or theoretical risks with no practical attack path. A human pen tester takes that same output and tries to weaponize it — for instance, taking a scanner's "outdated OpenSSH version" finding and confirming whether the specific patch level is actually vulnerable to CVE-2024-6387 (regreSSHion) in that environment's configuration. This is also why the two are priced and scheduled differently: automated scans can run continuously and cost a few hundred dollars a month, while a manual pen test is a discrete, expert-led engagement billed by the day, usually at $1,500–$3,000 per tester per day.
What are the main types of penetration testing?
The main types of penetration testing are network, web application, mobile application, cloud, API, social engineering, and physical testing, each targeting a different attack surface. Website penetration testing and web app penetration testing are often used interchangeably to describe the same engagement — testing the browser-facing application layer — while mobile application penetration testing covers the iOS or Android client plus the APIs it talks to, which is why the two are usually scoped and priced as separate line items even when they share a backend. Network pen tests probe internal and external infrastructure for misconfigurations and lateral movement paths — the kind of gap that let attackers pivot inside Target's network in the 2013 breach that exposed 40 million payment cards. Web and API testing follow the OWASP Top 10 (last updated 2021, with a new revision expected in 2025) and OWASP API Security Top 10 (2023), covering issues like broken object-level authorization, which was the exact flaw behind the 2021 Peloton API breach that exposed private user data to unauthenticated requests. Cloud penetration tests examine IAM policies, storage bucket permissions, and metadata service exposure — the same class of misconfigured Web Application Firewall and SSRF vulnerability that led to the 2019 Capital One breach affecting over 100 million customers. Testers are also classified by access level: black-box (no prior knowledge), gray-box (partial knowledge, such as user credentials), and white-box (full source code and architecture access).
What are the phases of a penetration test?
A penetration test runs through five phases: reconnaissance, scanning and enumeration, exploitation, post-exploitation, and reporting. Reconnaissance involves passive and active information gathering — OSINT on employee names for phishing pretexts, DNS enumeration, or reviewing public GitHub repos for leaked API keys. Scanning and enumeration map the live attack surface using tools like Nmap, Burp Suite, OWASP ZAP, and Nuclei to catalog open ports, running services, and application endpoints — zap penetration testing workflows in particular are common in this phase because the tool is free and scriptable enough to fold into a tester's own tooling chain. Exploitation is where testers attempt to actually breach identified weaknesses, often using frameworks like Metasploit or hand-written exploit code for a specific CVE. Post-exploitation assesses blast radius: can the tester escalate from a single compromised web server to domain admin, or pivot into a production database, mirroring how attackers in the 2017 Equifax breach used an unpatched Apache Struts flaw (CVE-2017-5638) to move from a single vulnerable web application to 147 million customer records. The engagement closes with a written report that assigns CVSS scores, provides proof-of-concept evidence (screenshots, request/response pairs), and gives remediation guidance — the deliverable auditors and engineering teams actually act on.
How much does penetration testing cost and how long does it take?
Penetration testing typically costs between $5,000 and $150,000 and takes one to four weeks, depending on scope, with cost driven primarily by the number of IPs, applications, or user roles in scope. A single web application with a defined set of user roles might run $8,000–$15,000 over one to two weeks. A full external network test for a mid-sized company (roughly 50–500 IPs) often falls in the $15,000–$40,000 range. Enterprise-wide engagements spanning cloud, network, and multiple applications — the kind large banks or healthcare systems commission annually to satisfy PCI DSS or HIPAA-adjacent requirements — can exceed $100,000 and take a month or more once retesting is included. Retesting, where the same tester verifies that reported findings were actually fixed, is frequently underscoped in initial quotes and adds 20-30% to total engagement cost.
How often should organizations run penetration tests?
Organizations should run penetration tests at least annually, and after any significant infrastructure or application change, to satisfy both compliance requirements and practical risk management. PCI DSS 4.0, effective in full since March 2025, requires penetration testing at least once every 12 months under Requirement 11.4, plus after any significant change to the cardholder data environment. SOC 2 doesn't mandate a specific test cadence in the criteria itself, but auditors under the Common Criteria (CC7.1) routinely expect an annual pen test as evidence of ongoing vulnerability management, and its absence is one of the most common audit gaps flagged in Type II reports. Gartner penetration testing services research treats the category as its own evaluated line item, distinct from vulnerability scanning or automated red-teaming tools, which reflects how differently buyers budget and procure it. Beyond compliance, annual-only testing leaves long windows of exposure: a new critical dependency vulnerability disclosed in month two of a twelve-month testing cycle can sit unvalidated until the next scheduled engagement, which is a real gap given that the average time from CVE disclosure to active exploitation in the wild has dropped to under 5 days for high-severity flaws in recent NVD and CISA KEV data.
How Safeguard Helps
Penetration testing answers "can this be exploited right now, by a human," but it's a point-in-time snapshot — Safeguard closes the gap between annual pen tests by continuously validating which vulnerabilities in your codebase are actually reachable at runtime, not just theoretically present in a dependency tree. Our reachability analysis traces call paths from vulnerable functions to your application's actual entry points, so the same triage a pen tester does manually against a handful of findings runs automatically across your entire SBOM. Griffin AI, Safeguard's reasoning engine, correlates that reachability data with exploit maturity and business context to prioritize the small fraction of findings that matter, while our SBOM generation and ingest pipeline gives you and your auditors a continuously updated inventory instead of a document that's stale the week after the pen test ends. When a real, reachable issue is confirmed, Safeguard opens an auto-fix PR with the patched dependency version and a scoped diff, so remediation — the step that usually determines whether a retest passes — happens in hours instead of the weeks it typically takes after a traditional pen test report lands.