I’ve Been Told We Need a Pen Test… What Does That Actually Mean?

If you’ve been told “we need to get a penetration test”, you’re not alone.

Across the UK, more organisations are being asked to complete penetration testing as part of client security requirements, and cyber insurance renewals.

The challenge? Most teams are given the instruction but not the explanation.

This guide breaks down what a penetration test (pen test) actually involves, what you need to prepare, and how to approach it properly.

What is a Penetration Test?

A penetration test is a controlled security assessment where specialists attempt to identify vulnerabilities in your systems before a real attacker does.

In the UK, penetration testing is commonly required for:

• Client or supplier security due diligence

• Cyber insurance policies

• Supporting compliance to security frameworks, such as ISO27001, SOC 2 or PCI DSS

  
  

Unlike automated scans, a proper pen test involves manual testing by security professionals, who can connect multiple low risk vulnerabilities and identify how real attackers can potentially generate a breach.

Why Do You Actually Need a Pen Test?

Before engaging a provider, clarify the reason internally.

Your objective will determine the scope, approach, and depth of testing.

Typical drivers include:

• Satisfying a client or supplier requirement

• A compliance or standards requirement e.g. PSI DSS, SOC2

• Launching a new application or platform

• Responding to a previous security incident

• Renewing cyber insurance

  
  

Ask yourself:

Are we doing this to tick a compliance box, or to genuinely reduce risk?

Both are valid but the approach may differ.

What Should Be Included in a Pen Test Scope?

One of the most common mistakes is assuming a pen test only covers a website.

In reality, penetration testing can cover multiple areas:

• Public-facing websites

• External infrastructure (servers, firewalls, IP ranges)

• APIs

• Internal networks

You don’t need technical expertise, the key factor is to identify what’s critical to your business.

Types of Penetration Testing (Explained Simply)

Pen tests are typically categorised by how much access the tester has.

• Black Box Testing - No prior access, simulating an external attacker

• Grey Box Testing - Limited access, such as a user account

• White Box Testing - Full access, including documentation or source code

If you’re unsure, a good provider will guide you, or feel free to speak to a member of our team who will be able to assist. Contact Us

What Do You Need to Prepare?

Before a penetration test can begin, you’ll need to provide some basic information and conduct a scoping session, to offer the specialist tester the opportunity to gain an understanding of the requirements, primary objectives, and gauge the length of engagement.

Once you’ve decided to proceed, the information typically required for a test is:

• Target domains, URLs, or IP addresses

• Test accounts (if authentication is required)

• Details of authentication methods (MFA, SSO, etc.)

• A main point of contact & an emergency contact

• An agreed testing window

And importantly: Ensure the test is approved internally. A signed ‘Authorisation To Test’ (ATT) will be required to verify approval has been obtained.

Running unauthorised testing, even internally, can cause serious disruption.

Rules of Engagement (Why They Matter)

Every professional penetration test includes agreed rules of engagement.

This simply defines boundaries, to keep testing safe and controlled.

Typical considerations:

• Systems that must not be tested

• Whether disruptive testing is allowed

• Testing hours (in-hours vs out-of-hours)

• Data handling and confidentiality

• Emergency escalation contacts

This protects both your business and the testing provider.

Choosing a Penetration Testing Provider

Not all providers deliver the same level of quality.

If you’re comparing penetration testing companies, look for:

• Manual testing, not solely automated tools

• Clear, actionable reporting

• Plain-English explanations

• Retesting options after remediation

A low-cost test that produces an unusable report won’t help you pass audits or improve security.

Common Mistakes to Avoid

When preparing for a pen test, avoid these common pitfalls:

• Not clearly defining scope

• Choosing a provider based on price alone

• Failing to act on the results

  
  

Final Thoughts: Getting Real Value from a Pen Test

A penetration test shouldn’t only be about finding vulnerabilities.

Done properly, it helps you:

• Understand real-world risk

• Improve your security posture

• Meet compliance requirements confidently

• Build trust with clients and partners

If you’ve been told “we need a pen test”, focus on:

• Understanding the objective

• Defining what matters to your business

• Working with a provider who acts as a partner

Need Help with Penetration Testing?

At Delta Cyber Security, we support UK organisations with:

• Penetration Testing (External, Internal, API)

• Security Reviews including Cloud environments (CIS Benchmark)

• Ongoing security support

If you’re unsure where to start, we’re happy to guide you through the process.

Get in touch today to discuss your requirements - Contact Us