We asked two of our senior security experts—Garrett Adler (Senior Pen Tester) and Terrill Thorn (Director of Pen Testing)—to walk through how companies like yours can squeeze the absolute most value out of their pen test.
If you’re going to invest in a penetration test, you deserve to know you’re getting your money’s worth. Unfortunately, most companies don’t know what they’re actually getting.
Whether it’s a too narrow scope, inadequate preparation, or not asking the right questions, some organizations miss significant opportunities to enhance their security posture—even after hiring a skilled penetration tester.
So, how can you ensure that’s not you?
We asked two of our senior security experts—Garrett Adler (Senior Pen Tester) and Terrill Thorn (Director of Pen Testing)—to walk through how companies like yours can squeeze the absolute most value out of their pen test.
A penetration test is essentially when you hire an ethical hacker to try to break into your systems. The goal isn't to cause actual damage, but to discover weaknesses before threat actors do. By simulating a real-world attack, pen testing reveals what a "bad actor" could achieve, providing invaluable insights.
As Garrett Adler explains,
"When we perform penetration tests, we will be essentially acting as a threat actor would on the internet, trying to identify and exploit vulnerabilities within your external network, your internal network, or your web applications."
To get the most out of your penetration test, consider these tips.
Before your pen tester starts, run internal scanners across your environment. Why? Because no one should pay an expert to find what a free tool could’ve flagged.
“Have automated scanners already running,” says Senior Pen Tester Garrett Adler. “That way, we can skip the low-hanging fruit and dive straight into complex vulnerabilities that scanners can’t touch.”
The clearer your objective, the better your results. Are you concerned about access control in your web app? Want to simulate an insider threat? Call it out. A strong objective focuses your test—and gives you answers that actually help your business.
Being overly rigid with scoping can hide real risks. The most dangerous vulnerabilities usually live in the gray areas—the places where internal systems and external access overlap. If you don’t give testers permission to explore those paths, you may never find them.
As Director of Pen Testing, Terrill Thorn puts it: “One vulnerability leads to another. If you want a real-world picture, you have to let us follow the thread.”
The best pen tests are collaborative. If your tester has a question mid-engagement, answering quickly can be the difference between discovering a high-impact vulnerability or running out of time.
“We’re not just trying to check a box,” says Garrett. “We’re trying to think like a real attacker. And that works best when we can collaborate with your team in real time.”
Garrett Adler shared an example of a recent external penetration test that escalated:
"We were actually able to show with that application how an unauthenticated, unauthorized person could gain access to the application... With that, they could get code execution on the back-end server, allowing them to get on the internal environment... and gain domain administrative level to the environment."
Terrill Thorn adds,
"I think that's a great illustration of some of the things that we were talking about earlier with being open to extending the scope of the penetration test. This was an external penetration test to start with, but then you were able to get onto the internal network."
This comprehensive test, initially external, uncovered critical vulnerabilities across multiple layers, ultimately leading to domain administrator access – the "keys to the kingdom." It highlights the value of an open-ended scope, demonstrating how one vulnerability can lead to multiple compromises, and how thorough testing can reveal hidden risks.
Typical engagements range from $5,000–$15,000, depending on scope, size, and complexity.
Most kickoffs happen 7–10 days after contract signing.
No. We avoid denial-of-service attacks and work to ensure high availability throughout the test.
Our reports include actionable remediation guidance. We’re also available to consult, if needed.
SecurityMetrics offers different types of pen tests depending on your risk profile:
Your penetration testing process will vary by provider. Below is an overview of how penetration tests work when you partner with SecurityMetrics.
During this phase, you will experience a pre-engagement conference call covering your pen test needs, methodologies, objectives, the scope of your pen test, and your pen test date. Closer to your pen test date, you will receive a questionnaire that collects the needed information and documentation. You will then work with your point of contact to ensure your office is prepared for the test and that you won’t experience any downtime.
SecurityMetrics Pen Testers then attempt to find and exploit your vulnerabilities by using industry-standard methodologies. SecurityMetrics Pen Testers document everything they see to simplify your remediation process.
Within six weeks, you will receive your report, which includes a narrative of the pentest activities and details of identified vulnerabilities. The vulnerabilities will include recommended steps or actions for remediation. Once you have analyzed your report, you can work with a SecurityMetrics point-of-contact to receive advice on how to remediate and patch any weaknesses
Once you’ve finished your first remediation phase, your point-of-contact will schedule a retest of your system, checking for proper patching. Unlike many other pen testing firms, SecurityMetrics' pen testing includes retesting in your initial quote.
SecurityMetrics stands out for several reasons:
Penetration testing is a crucial investment for any organization serious about its cybersecurity. If you go into your pentest knowing what’s in store, you can adequately prepare and get the most out of your investment.