Penetration Testing: What It Is, How It Works, and Why B2B Companies Need It
A practical guide to penetration testing — what it is, the different types, how the process works, how often to test, what to do with results, and how pen testing fits into compliance frameworks like ISO 27001, SOC 2, NIS2, and DORA.
Penetration Testing: What It Is, How It Works, and Why B2B Companies Need It
Penetration testing is a controlled security assessment where qualified testers simulate real-world attacks against your systems, applications, or networks. The purpose is straightforward: find exploitable vulnerabilities before attackers do.
For B2B software companies, penetration testing serves two purposes. First, it directly improves security by identifying weaknesses that automated tools miss — business logic flaws, authentication bypasses, complex attack chains. Second, it provides evidence that enterprise buyers, auditors, and regulators require. A recent penetration test report is one of the most-requested documents in vendor security assessments.
This guide covers how penetration testing works, the different types, how it fits into compliance frameworks, and how to share results with buyers.
How Penetration Testing Works
The Penetration Testing Process
A typical penetration test follows a structured methodology:
1. Scoping and Planning
- Define what is in scope (applications, networks, APIs, cloud infrastructure)
- Agree on testing methodology and rules of engagement
- Set the testing window and communication protocols
- Obtain written authorisation (critical — testing without authorisation is illegal)
2. Reconnaissance
- Gather information about the target (domain names, IP ranges, technology stack)
- Map the attack surface (exposed services, entry points, authentication mechanisms)
- Identify potential vulnerability areas based on technology and architecture
3. Vulnerability Identification
- Use automated scanning tools to identify known vulnerabilities
- Manual testing for business logic flaws, access control issues, and configuration weaknesses
- Review authentication and session management mechanisms
- Test input validation and data handling
4. Exploitation
- Attempt to exploit identified vulnerabilities to confirm they are genuine
- Chain multiple findings together to demonstrate real-world attack scenarios
- Assess what an attacker could access or achieve through each vulnerability
- Document proof-of-concept evidence for each finding
5. Post-Exploitation
- Assess the impact of successful exploitation (data access, privilege escalation, lateral movement)
- Determine what sensitive data or systems could be compromised
- Evaluate detection and response capabilities — did monitoring tools detect the test?
6. Reporting and Remediation
- Deliver detailed report with findings, severity ratings, and remediation guidance
- Present results to technical and executive stakeholders
- Support remediation efforts with clarification and guidance
- Conduct retesting to verify fixes are effective
Types of Penetration Testing
By Knowledge Level
| Type | Tester Knowledge | Simulates | Best For |
|---|---|---|---|
| Black Box | No prior information | External attacker | Realistic attack simulation |
| White Box | Full access (source code, architecture) | Insider threat or deep analysis | Comprehensive code-level testing |
| Grey Box | Partial access (user credentials, limited docs) | Authenticated attacker | Application security testing |
By Target
Web Application Testing
- OWASP Top 10 vulnerabilities (injection, broken authentication, XSS, etc.)
- Business logic flaws (price manipulation, workflow bypasses)
- API security (authentication, authorisation, input validation)
- Session management and access control
Network/Infrastructure Testing
- External perimeter testing (internet-facing systems)
- Internal network testing (simulating post-breach or insider)
- Wireless network security
- Cloud infrastructure configuration review
Mobile Application Testing
- Client-side security (data storage, certificate pinning)
- API communication security
- Authentication and session handling
- Platform-specific vulnerabilities (iOS, Android)
Cloud Security Testing
- Cloud configuration review (IAM, storage, networking)
- Container and Kubernetes security
- Serverless function security
- Cloud-native attack paths
Specialised Testing
Social Engineering
- Phishing simulations
- Physical security testing
- Vishing (voice phishing) assessments
Red Team Assessments
- Full-scope adversary simulation
- Objective-based (not vulnerability-based)
- Tests detection and response, not just prevention
- Typically longer engagements (weeks to months)
Threat-Led Penetration Testing (TLPT)
- Intelligence-led testing based on real threat actor TTPs
- Required by DORA for significant financial entities
- Follows TIBER-EU or equivalent framework
- Conducted by qualified external providers
Penetration Testing and Compliance
ISO 27001
| Control | Requirement | How Pen Testing Satisfies It |
|---|---|---|
| A.8.8 | Management of technical vulnerabilities | Annual pen testing identifies technical vulnerabilities beyond automated scanning |
| A.5.36 | Conformity with policies and standards | Independent security testing validates that controls work as designed |
| A.8.9 | Configuration management | Pen testing reveals misconfigurations that create vulnerabilities |
SOC 2
| Trust Services Criteria | Requirement | How Pen Testing Satisfies It |
|---|---|---|
| CC7.1 | Detection of vulnerabilities | Pen testing demonstrates active vulnerability identification |
| CC4.1 | Monitoring of controls | Tests verify that security controls are effective |
| CC3.2 | Risk assessment | Pen test findings feed into risk assessment process |
NIS2
| Article | Requirement | How Pen Testing Satisfies It |
|---|---|---|
| Article 21(2)(d) | Supply chain security | Pen testing of critical suppliers validates their security |
| Article 21(2)(e) | Vulnerability handling | Pen testing identifies vulnerabilities for remediation |
| Article 21(2)(f) | Effectiveness assessment | Pen tests assess effectiveness of security measures |
DORA
| Article | Requirement | How Pen Testing Satisfies It |
|---|---|---|
| Article 24 | General requirements for ICT testing | Regular pen testing as part of digital resilience testing |
| Article 25 | Threat-led penetration testing | TLPT required for significant entities (TIBER-EU framework) |
| Article 26 | Requirements for testers | TLPT must use qualified external testers |
Choosing a Penetration Testing Provider
Key Evaluation Criteria
Qualifications and Certifications
- CREST-accredited company and certified testers (CRT, CCT)
- OSCP, OSCE, OSWE certified individuals
- CHECK (UK) or equivalent national scheme membership
- Industry experience relevant to your technology stack
Methodology
- Follows established frameworks (OWASP, PTES, NIST SP 800-115)
- Combines automated and manual testing
- Includes business logic testing, not just vulnerability scanning
- Provides clear scoping and rules of engagement
Reporting Quality
- Executive summary accessible to non-technical stakeholders
- Detailed technical findings with proof-of-concept evidence
- Risk-rated findings (Critical, High, Medium, Low)
- Specific, actionable remediation recommendations
- Retest included to verify fixes
Compliance Alignment
- Experience with your regulatory requirements (ISO 27001, SOC 2, NIS2, DORA)
- Reports formatted for auditor review
- Attestation letters available for buyer requests
- TIBER-EU qualified for DORA TLPT requirements
Cost Considerations
Penetration testing costs vary significantly based on scope:
- Web application test (single app): €5,000-€20,000
- Network/infrastructure test (external + internal): €8,000-€25,000
- Comprehensive engagement (applications + infrastructure + cloud): €15,000-€50,000
- Red team assessment: €30,000-€100,000+
- TLPT (TIBER-EU): €50,000-€200,000+
Annual testing for a typical B2B SaaS company (web application + API + cloud infrastructure) typically ranges from €10,000-€30,000.
What to Do with Pen Test Results
Internal Remediation
- Triage findings by severity: Address Critical and High findings immediately
- Assign ownership: Each finding needs an owner and a remediation deadline
- Track remediation: Use your issue tracker to ensure findings are resolved
- Retest: Have the testing firm verify that fixes are effective
- Update risk register: Feed findings into your risk management process
- Review root causes: Identify systemic issues that caused multiple findings
Sharing Results
Through your Trust Center:
- Publish a pen test summary (date, scope, tester, key findings remediated)
- Gate full reports behind NDA access
- Include attestation letters from the testing firm
- Show your testing cadence and methodology
In security questionnaires:
- Reference your most recent test date and scope
- Confirm that Critical and High findings have been remediated
- Provide the testing firm's attestation letter
- Share full report under NDA if requested
For compliance auditors:
- Provide the full report with remediation evidence
- Show retest results confirming fixes
- Demonstrate integration with your vulnerability management programme
- Map findings to relevant control frameworks
Common Penetration Testing Mistakes
Testing Too Narrowly
Only testing the main web application while ignoring APIs, admin panels, staging environments, and cloud infrastructure. Attackers look for the weakest link, not the strongest.
Testing Once and Forgetting
A single annual test creates a snapshot in time. Continuous development means new vulnerabilities are introduced regularly. Consider continuous pen testing for applications with frequent releases.
Ignoring Remediation
A pen test report is worthless if findings are not remediated. Track findings as security bugs with SLAs: Critical within 48 hours, High within 2 weeks, Medium within 30 days.
Choosing on Price Alone
The cheapest pen test often delivers the least value. A team that runs automated scanners and repackages the output as a "penetration test" provides little beyond what your own scanning tools deliver.
Not Sharing Results
Hoarding pen test results means buyers must send questionnaires to get information you already have. Publish summaries on your Trust Center to reduce inbound security review requests.
How Orbiq Supports Penetration Testing Programmes
- Trust Center: Publish pen test summaries, attestation letters, and remediation status for buyer self-service
- Evidence Management: Centralize pen test reports, remediation tracking, and retest evidence mapped to compliance frameworks
- AI-Powered Questionnaires: Auto-respond to pen testing questions in security questionnaires from your documented evidence
- Continuous Monitoring: Track remediation progress and alert when retest deadlines approach
Further Reading
- Security Questionnaire — How pen test results appear in vendor assessments
- ISO 27001 Certification — The certification framework that requires vulnerability testing
- Compliance Automation — Automating the evidence trail from pen testing
- Trust Center — Publishing pen test results for buyer due diligence
This guide is maintained by the Orbiq team. Last updated: March 2026.