Organizations investing in penetration testing deserve clear understanding of what quality security testing entails. The cybersecurity market offers wide spectrum of testing services from automated vulnerability scanning to comprehensive manual penetration testing, each serving different purposes and delivering different value. Understanding these distinctions helps organizations select appropriate security testing matching their compliance requirements, risk tolerance, and budget constraints.
This comprehensive guide explains what professional penetration testing should include covering required tester qualifications, comprehensive testing methodology, expected deliverables, realistic pricing and effort estimates, differences from automated scanning, compliance considerations, and evaluation criteria helping organizations procure security testing that genuinely validates defenses through manual exploitation rather than automated vulnerability identification alone.
Understanding the Testing Spectrum
Two Distinct Services with Different Purposes
The security testing market includes two primary services often confused but serving different objectives:
Vulnerability Scanning: Automated identification of known security weaknesses using tools like Nessus, Qualys, or OpenVAS. Scanners compare system configurations against databases of published vulnerabilities identifying potential issues quickly and cost-effectively. Perfect for continuous monitoring and compliance scanning requirements.
Penetration Testing: Manual security assessment where certified professionals attempt to exploit vulnerabilities, bypass controls, and demonstrate real-world attack scenarios proving business impact. Combines automated scanning with extensive human expertise validating exploitability and testing defense effectiveness.
Both services provide value in comprehensive security programs. The key is understanding which service you're purchasing and ensuring it matches your actual needs and compliance requirements.
Key Differences: Scanning vs. Testing
| Aspect | Vulnerability Scanning | Penetration Testing |
|---|---|---|
| Primary Goal | Identify potential vulnerabilities | Prove exploitability and business impact |
| Approach | 100% automated tool-based | Automated baseline + manual exploitation |
| Human Effort | 4-8 hours (configuration + reporting) | 60-120+ hours certified tester time |
| Exploitation | None (identifies only) | Active exploitation with validation |
| False Positives | 15-30% typical | <5% (manually eliminated) |
| Attack Chains | Individual vulnerabilities | Multi-step paths identified and exploited |
| Timeframe | Hours to 1 day | 1-3 weeks |
| Typical Cost | $500-$5,000 | $8,000-$40,000+ |
| Best Use | Continuous monitoring, patch validation | Annual validation, compliance, pre-deployment |
| Compliance | PCI DSS 11.2, quarterly scanning | PCI DSS 11.3, annual penetration testing |
What Professional Penetration Testing Includes
1. Certified Security Professionals
Quality penetration testing teams employ certified professionals with proven expertise:
Industry-Recognized Certifications:
- OSCP (Offensive Security Certified Professional): 24-hour hands-on exam requiring actual exploitation, industry gold standard
- GPEN (GIAC Penetration Tester): Comprehensive methodology certification covering all testing phases
- GWAPT (GIAC Web Application Penetration Tester): Specialized web application testing expertise
- OSWE (Offensive Security Web Expert): Advanced web exploitation and code review
Experience Requirements:
- 5-10+ years practical penetration testing experience
- Industry-specific knowledge (financial, healthcare, manufacturing)
- Published security research or CVE discoveries demonstrating expertise
- Portfolio of successful engagements with similar organizations
Professional providers transparently share tester qualifications, certifications, and experience enabling clients to verify expertise before engagement begins.
2. Comprehensive Testing Methodology
Quality penetration testing follows recognized frameworks including PTES (Penetration Testing Execution Standard), OWASP Testing Guide, and NIST SP 800-115:
Phase 1: Planning and Reconnaissance (8-20 hours):
- Detailed scoping defining in-scope and out-of-scope systems
- Rules of Engagement documenting testing boundaries
- OSINT gathering (domains, subdomains, employee information)
- Threat modeling identifying likely attack vectors
- Stakeholder interviews understanding critical assets and concerns
Phase 2: Discovery and Enumeration (8-16 hours):
- Automated vulnerability scanning establishing baseline
- Manual service enumeration (SMB shares, LDAP, DNS, SNMP)
- Web application analysis and endpoint discovery
- Wireless network identification and testing
- User enumeration and credential analysis
Phase 3: Vulnerability Analysis (8-16 hours):
- Manual validation eliminating false positives
- Exploitability assessment for each finding
- Attack path mapping identifying compromise routes
- Target prioritization based on criticality
- Custom exploit research for unique vulnerabilities
Phase 4: Exploitation (24-60 hours):
- Manual exploitation attempts validating vulnerabilities exploitable
- SQL injection demonstrating database access
- Authentication bypass proving unauthorized access
- Remote code execution establishing system control
- Privilege escalation (user → admin → domain admin)
- Web application logic flaw exploitation
- Session hijacking and token manipulation
Phase 5: Post-Exploitation (12-24 hours):
- Lateral movement across network segments
- Credential harvesting and password analysis
- Sensitive data identification and access documentation
- Persistence mechanism testing
- Active Directory compromise and domain control
- Detection evasion testing against SOC monitoring
Phase 6: Reporting and Debrief (16-40 hours):
- Technical report writing with detailed findings
- Executive summary creation for leadership
- Attack narrative documentation
- Remediation roadmap with specific guidance
- Quality assurance and peer review
- Client debrief presentation
Total Professional Effort: 76-176 hours explaining realistic pricing of $10,000-$45,000 for comprehensive assessments.
Experience Professional Penetration Testing
subrosa provides comprehensive penetration testing with OSCP/GPEN certified professionals following industry-standard methodologies and delivering actionable findings with exploitation proof.
Learn About Our Approach3. Proof-of-Concept Demonstrations
Professional penetration testing validates findings through exploitation evidence:
What Quality POCs Include:
- Screenshots: Command execution, database queries, file access, admin panels
- Command Outputs: Exploitation tools and results demonstrating compromise
- Data Evidence: Samples of accessible sensitive data (redacted appropriately)
- Timeline: Step-by-step exploitation sequence from initial access to data access
- Impact Demonstration: What attackers achieved (domain admin, database dump, credential harvest)
Example POC: SQL Injection to Database Access
1. Discovered SQL injection in /search?query= parameter
2. Validated with time-based blind SQLi: ?query=test' AND SLEEP(5)--
3. Enumerated database: UNION SELECT table_name FROM information_schema.tables
4. Extracted admin credentials: UNION SELECT username,password FROM users
5. Result: Accessed 50,000 customer records including PII
Evidence: Screenshots of SQLMap output, database query results, customer table schemaProof-of-concepts transform theoretical vulnerabilities into demonstrated business risks enabling informed remediation prioritization and stakeholder communication.
4. Comprehensive Reporting
Executive Summary (For Leadership and Board):
- Overall security posture assessment
- Critical findings count with business impact
- Attack scenario summary readable by non-technical stakeholders
- High-level recommendations prioritized by risk
- Comparison to previous assessments showing security improvement
Technical Findings (For Security and IT Teams):
- Detailed vulnerability descriptions with CVE references
- Exploitation steps documenting attack methodology
- Proof-of-concept evidence (screenshots, commands, outputs)
- CVSS scores adjusted for your environment
- Specific remediation guidance with configuration examples
- Testing notes explaining tester decisions and approach
Attack Narratives:
- Complete exploitation paths from initial access to data compromise
- Timeline showing hours or days an attacker would require
- Lateral movement chains across network segments
- Privilege escalation techniques used
- Sensitive data or systems accessed with evidence
Remediation Roadmap:
- Prioritized action items by severity and business impact
- Quick wins deployable immediately (configuration changes)
- Short-term fixes (1-30 days): patching, authentication improvements
- Long-term improvements (30-90 days): architecture changes, segmentation
- Estimated effort and resource requirements for remediation
What Comprehensive Testing Validates
Attack Surface Coverage
Professional penetration testing comprehensively evaluates:
External Attack Surface:
- Internet-facing web applications and APIs
- Network services (VPN, mail servers, remote access)
- Cloud infrastructure (AWS, Azure, GCP misconfigurations)
- DNS and subdomain security
- Email security and phishing susceptibility
- Third-party integrations and authentication flows
Internal Network:
- Lateral movement paths from compromised endpoint
- Active Directory exploitation (Kerberoasting, AS-REP roasting, Pass-the-Hash)
- Network segmentation effectiveness
- Privilege escalation to domain administrator
- Database security and direct access attempts
- Sensitive data location and access controls
Security Control Effectiveness:
- Firewall rule validation
- EDR detection and response capabilities
- SOC monitoring and alerting effectiveness
- MFA bypass opportunities
- Data loss prevention testing
- Application whitelisting and endpoint controls
Real-World Attack Simulation
Quality testing simulates actual attacker behaviors:
- Initial Access: Phishing simulation, exposed service exploitation, web application compromise
- Persistence: Testing whether attackers could maintain access
- Credential Theft: Password dumps, token extraction, MFA bypass
- Lateral Movement: Spreading through network to reach critical systems
- Data Exfiltration: Accessing and extracting sensitive information
- Impact Assessment: Quantifying potential damage in business terms
Understanding Realistic Pricing
Legitimate Penetration Testing Costs
Small Scope Assessment:
- Scope: 1-10 external IPs, 1-2 web applications
- Effort: 60-80 hours
- Cost: $8,000-$15,000
- Duration: 1-2 weeks
Medium Scope Assessment:
- Scope: 10-50 IPs, 3-5 web apps, internal network testing
- Effort: 100-140 hours
- Cost: $18,000-$32,000
- Duration: 2-3 weeks
Comprehensive Assessment:
- Scope: 50-200 IPs, 5+ web apps, internal network, wireless, social engineering
- Effort: 160-240 hours
- Cost: $35,000-$65,000
- Duration: 3-4 weeks
Cost Components Explained
What You're Paying For:
- Senior Tester Time: $100-$150/hour (40-80 hours per engagement)
- Mid-Level Tester: $75-$125/hour (20-60 hours supporting)
- Technical Writer: $60-$90/hour (16-32 hours report creation)
- QA Review: $100-$150/hour (8-12 hours validation)
- Tools and Infrastructure: Commercial licenses, lab environments
- Overhead: Management, insurance, business operations (15-25%)
Pricing below $8,000 for network penetration testing typically indicates limited manual testing, offshore uncertified testers, or primarily automated scanning.
Transparent Penetration Testing Pricing
subrosa provides clear pricing reflecting actual certified tester effort with detailed scoping ensuring you understand exactly what's included and why it's priced appropriately.
Get Detailed QuoteCompliance Considerations
PCI DSS Requirements
Requirement 11.2 (Vulnerability Scanning):
- Quarterly internal and external scans
- Automated vulnerability scanning satisfies requirement
- ASV (Approved Scanning Vendor) for external quarterly scans
Requirement 11.3 (Penetration Testing):
- Annual internal and external penetration testing
- Testing after significant infrastructure changes
- Segmentation testing validating network isolation
- Requires manual exploitation validation
- Evidence of actual compromise attempts necessary
PCI DSS v4.0 Clarifications:
- Explicitly distinguishes penetration testing from vulnerability scanning
- Requires evidence testers attempted exploitation
- Mandates documented tester qualifications
- Expects methodology alignment with industry standards
Other Framework Requirements
SOC 2 (Trust Service Criteria CC7.1):
- Requires detecting and responding to security incidents
- Penetration testing validates detection capabilities
- Auditors expect manual testing confirming controls effective
ISO 27001 (A.12.6.1):
- Technical vulnerability management includes scanning and testing
- Both required for comprehensive security program
- Testing validates vulnerability management effectiveness
HIPAA Security Rule (§164.308(a)(8)):
- Periodic technical and non-technical evaluation required
- Penetration testing demonstrates ePHI protection
- Must prove unauthorized access prevented or detected
Evaluating Penetration Testing Providers
Essential Questions to Ask
- "What certifications do your actual testers hold?"
- Request specific certifications (OSCP, GPEN, GWAPT)
- Ask for tester resumes and verification
- Ensure certifications held by performing testers, not just company leadership
- "How many hours of manual testing are included?"
- Quality testing includes 60-120+ hours
- Breakdown by phase (recon, exploitation, reporting)
- Distinguish automated scan time from manual effort
- "Will you provide proof-of-concept for findings?"
- Screenshots of successful exploitation
- Command outputs demonstrating compromise
- Evidence of data or system access
- "Can I review a sample report?"
- Request redacted report from similar engagement
- Look for attack narratives, not just CVE lists
- Verify specific remediation guidance included
- "What methodology do you follow?"
- Should reference PTES, OWASP, or NIST SP 800-115
- Documented approach ensuring consistency
- Quality assurance and peer review process
- "What's included in post-testing support?"
- Remediation validation testing
- Technical support answering questions
- Executive presentation to stakeholders
- Audit support if compliance-driven
Portfolio and Reference Verification
- Request client references from organizations similar to yours
- Verify experience in your industry vertical
- Check published security research demonstrating expertise
- Review case studies showing successful engagements
- Validate insurance coverage (errors & omissions, cyber liability)
When to Use Each Service
Vulnerability Scanning Is Ideal For:
- Continuous Monitoring: Weekly or monthly security posture tracking
- Patch Validation: Confirming updates deployed successfully
- Large-Scale Coverage: Monitoring 500-5,000+ assets efficiently
- Compliance Scanning: PCI DSS quarterly requirements
- Pre-Deployment Testing: Scanning systems before production
- Budget-Conscious Organizations: Cost-effective vulnerability identification
Penetration Testing Is Essential For:
- Annual Security Validation: Proving defenses work against real attacks
- Compliance Requirements: PCI DSS 11.3, SOC 2, HIPAA mandates
- Pre-Production Launch: Validating new applications before customer use
- Post-Incident Testing: Confirming breach remediation effective
- Customer Requirements: Enterprise buyers demanding security validation
- Cyber Insurance: Policy requirements or premium reductions
- Merger & Acquisition: Due diligence security assessment
Optimal Approach: Integrated Program
Leading organizations combine both services in comprehensive VAPT programs:
- Continuous Scanning: Monthly vulnerability assessment identifying new CVEs ($12,000-$30,000 annually)
- Annual Penetration Testing: Comprehensive exploitation validation ($15,000-$40,000 annually)
- Quarterly Validation: Targeted rescans confirming critical vulnerabilities remediated
- Total Investment: $27,000-$70,000 annually
This integrated approach provides continuous visibility into emerging vulnerabilities through scanning while periodically validating exploitability through professional penetration testing, meeting both operational monitoring and compliance validation needs.
What to Expect: Professional Testing Timeline
Typical Engagement Flow
Week 1-2 (Pre-Engagement):
- Initial consultation and scoping discussion
- Statement of Work and Rules of Engagement finalization
- Legal agreements and authorization signatures
- Testing window scheduling and stakeholder notification
Week 3 (Testing Week 1):
- Reconnaissance and automated scanning (Days 1-2)
- Manual enumeration and service testing (Days 3-5)
- Daily status updates to stakeholders
Week 4 (Testing Week 2):
- Exploitation attempts and validation (Days 1-3)
- Post-exploitation and lateral movement (Days 4-5)
- Critical finding notifications as discovered
Week 5 (Reporting):
- Technical report writing and POC documentation (Days 1-4)
- Quality assurance and peer review (Day 5)
Week 6 (Delivery):
- Report delivery and review period (Days 1-3)
- Debrief presentation to stakeholders (Day 4)
- Q&A and remediation planning support (Day 5)
Total Timeline: 6 weeks from kickoff to final deliverables reflecting thorough, quality-focused approach.
Building Your Security Testing Program
Maturity Progression
Stage 1: Foundation (Year 1):
- Baseline vulnerability assessment understanding current state
- Initial penetration test identifying critical gaps
- Remediation of high and critical findings
- Investment: $20,000-$35,000
Stage 2: Regular Cadence (Year 2):
- Quarterly vulnerability scanning
- Annual penetration testing
- Remediation validation
- Investment: $25,000-$50,000
Stage 3: Continuous Program (Year 3+):
- Monthly vulnerability scanning
- Annual comprehensive penetration testing
- Bi-annual focused testing (specific applications or changes)
- Purple team exercises testing detection capabilities
- Investment: $40,000-$80,000
Making the Right Investment
Organizations deserve clarity when purchasing security testing services. Understanding the distinction between automated vulnerability scanning and manual penetration testing enables informed decisions matching security needs, compliance requirements, and budget realities.
Key Takeaways:
- Vulnerability scanning and penetration testing both provide value but serve different purposes
- Professional penetration testing requires certified testers, manual exploitation, and comprehensive effort
- Realistic pricing reflects 60-120+ hours of skilled security professional time
- Compliance frameworks distinguish between scanning and testing with specific requirements
- Quality testing includes proof-of-concepts demonstrating actual exploitability
- Comprehensive security programs combine continuous scanning with annual penetration testing
When evaluating security testing providers, focus on qualifications, methodology, deliverables, and realistic effort estimates. Providers transparently explaining their approach, sharing tester credentials, and setting appropriate expectations deliver genuine security value helping organizations understand and address real risks.
subrosa provides both professional vulnerability management and comprehensive penetration testing with clear differentiation between services. Our vulnerability management includes continuous scanning, expert triage eliminating false positives, risk-based prioritization, and remediation guidance. Our penetration testing features OSCP and GPEN certified testers averaging 8+ years experience, 60-120 hours manual exploitation per engagement, comprehensive proof-of-concepts for all critical findings, detailed attack narratives demonstrating business impact, specific remediation roadmaps, and post-testing validation support. We help organizations understand appropriate testing for their specific needs, whether continuous scanning, annual penetration testing, or integrated programs combining both services. Our transparent approach educates clients ensuring security investment delivers actual risk reduction rather than just compliance documentation.