Pentesting (pentesting)

What is pentesting?

Penetration testing includes a series of penetration tests based on attacks by IT systems to identify their weaknesses or vulnerabilities. They are designed to classify and determine the extent of security breaches and their degree of impact. As a result of such tests, you can get a fairly clear idea of ​ ​ the dangers to your system and the effectiveness of your protection^[1][2].

Pentests help determine the likelihood of an attack success, as well as identify security holes that are a consequence of low-risk vulnerabilities, but are used in a certain way. They also identify other vulnerabilities that cannot be detected using automated network software or special programs, and can also be used to assess whether security managers are able to successfully detect and respond to attacks.

How penetration testing is performed

There are several types of pentests classified according to the type of system information. Whitebox penetration tests know everything about the system, applications or architecture, and blackbox penetration tests do not have any information about the goal. Keep in mind that this type of classification is a practical necessity, since often the testing conditions are based on user criteria.

After that, you need to choose one of the various penetration testing methods. The choice will be determined by the characteristics of the system or even carried out in accordance with external requirements in the company. In any case, available methods include ISSAF, PCI, PTF, PTES, OWASP, and OSSTMM, among others. Each method has a lot of its own nuances, but their deep knowledge is necessary when implementing pentests.

Which method to choose?

According to a number of experts, PTES and OWASP are quite good types of pentests, due to the way these methods are structured. According to them, Penetration Testing Execution Standard (or PTES), in addition to being adopted by many authoritative experts, is already a model used in textbooks for penetration testing systems such as Rapid7 Metasploit.

On the other hand, Open Source Security Testing Methodology Manual (OSSTMM) has become the standard. While not particularly innovative, these tests are one of the first approaches to the universal framework of the safety concept. Today it has become a benchmark not only for organizations that want to develop high-quality, organized and effective penetration testing, but also for a number of companies.

Alternatively, the Information Systems Security Assessment Framework (ISSAF) organizes data around so-called "evaluation criteria," each of which has been compiled and reviewed by experts in each area of ​ ​ security solutions. The Payment Card Industry Data Security Standard (PCI DSS) was developed by a board of leading credit and debit card companies and serves as a guide for organizations that process, store and share cardholder data. It was for this standard that PCI penetration testing was developed.

The number of methods and frameworks is quite large, they are extensive and diverse. As already mentioned, the choice between them will depend on understanding your company's needs and knowledge of the required security standards. But by doing everything right, you can protect your systems much more effectively, knowing in advance where and how they can fail. Invaluable information for those who know how to use it.

Chronology of events

2025: More than 40% of vulnerabilities will not be eliminated on time after a pentest

Companies timely eliminate only 56% of vulnerabilities discovered during penetration testing. Experts of "Informzaschita" call the main reason for the current situation a poorly structured process of making decisions on improving the information security system after a pentest. The company announced this on April 16, 2025.

The integrator's specialists indicate that according to the requirements of the FSTEC, critical vulnerabilities must be fixed within 24 hours, high-level vulnerabilities - within up to 7 days. However, even among such vulnerabilities, 28% are not fixed on time. Experts recommend eliminating medium-level vulnerabilities within 14 days, but the average time to fix in the first three months of 2025 is 35 days.

Informzaschita experts emphasize that the slow elimination of vulnerabilities is influenced by the untimely response of the management, the long coordination of decisions and the lack of consistency between departments, insufficient funding for information security and technical limitations, including the lack of competencies of the internal information security team, problems with import substitution and the lack of automated vulnerability management tools. Among industries, the greatest difficulties are observed in education and healthcare, where more than 70% of vulnerabilities are not eliminated on time.

Many companies often delay solving problems identified during the pentest, believing that the information security team will prevent an attack by knowing possible vectors. But testing is only half the way, you cannot avoid an incident just knowing how and why it can happen, "says Anatoly Peskovsky, head of security analysis at the IZ: SOC" Informzaschita "Cyber ​ ​ Attack Monitoring and Counteraction Center.

In 2024, according to Informzaschita, the average exploitation time of the vulnerability since its public disclosure has been reduced to 5 days from 32 days in 2022. As for 0-day vulnerabilities, which include the task of pentesting, in 2024 the number of attacks using them increased by 18% and amounted to about 115 attacks. In about 20% of cases, according to Information Informzaschita experts, vulnerabilities were identified as a result of penetration testing, but were not eliminated in time.

Integrator experts recommend implementing and maintaining an effective vulnerability management process, including all stages from asset inventory to vulnerability remediation control, and regularly training and raising employee awareness of information security.

Companies may not have enough technical tools and competencies to eliminate all vulnerabilities. In this case, it is necessary to contact specialized information security companies that have sufficient experience and can provide high-quality services for detecting and eliminating vulnerabilities, modifying and supporting the information security system, Peskovsky emphasizes.

2023

96% of organizations are vulnerable to cyber fraudsters

Positive Technologies specialists on July 2, 2024 shared the results of penetration tests conducted in 2023. In almost all companies where internal testing was carried out, attackers can establish full control over the IT infrastructure. The minimum period of penetration into the local network was one day. [1]Подробнее #.2A_96.25_.D0.BE.D1.80.D0.B3.D0.B0.D0.BD.D0.B8.D0.B7.D0.B0.D1.86.D0.B8.D0.B9_.D1.83.D1.8F.D0.B7.D0.B2.D0.B8.D0.BC.D1.8B_.D0.BF.D0.B5.D1.80.D0.B5.D0.B4_.D0.BA.D0.B8.D0.B1.D0.B5.D1.80.D0.BC.D0.BE.D1.88.D0.B5.D0.BD.D0.BD.D0.B8.D0.BA.D0.B0.D0.BC.D0.B8 здесь.

Over the year, companies strengthened the external perimeter, but forgot about internal networks

Over the year, against the background of numerous cyber attacks the Russian companies, they strengthened the protection of - IT perimeters, but they still underestimate the threat of an internal intruder. This follows from the results of pentests conducted by experts "" from RTK-Solar March 2022 to March 2023. So a third (35%) of companies passed the test with an external pentest (a year earlier this figure was only 24%). At the same time, goals within - IT perimeters were achieved in 100% of cases (a year ago - only in 63%). The company announced this on April 3, 2023. More. here

2022:77% of organizations in Russia are not sufficiently protected from hacking

The Innostage Security Analysis Group conducted penetration testing (pentest) in Russian companies and shared the interim results on December 28, 2022. The purpose of the pentest was to obtain the maximum possible privileges or perform an illegitimate action in relation to the organization's IT infrastructure. In 77% of organizations, specialists managed to gain administrative access to critical objects or sensitive information, being outside the external perimeter. Read more here.

Notes