Cybersecurity Insights & Research

Threat reports, research papers, webinars and whitepapers from the Mercurius security team — staying ahead of the adversary.

Especialista realizando um pentest em uma rede corporativa

What Is a Pentest? A Complete Guide for Companies

A pentest (penetration test) is an offensive security practice in which specialists simulate real attacks against an organization’s systems, networks, or applications to find vulnerabilities before criminals can exploit them. The practice follows recognized methodologies such as PTES, OWASP, and NIST SP 800-115, and it is required or recommended by standards like ISO 27001, PCI-DSS, and, in the Brazilian context, the LGPD. Mid-sized and large companies run pentests periodically and after any significant change to their infrastructure.

This guide explains what a pentest is, how it works in practice, the types, how much it costs, what separates a strong report from a generic one, and when your company should run one. It is the foundation for any decision-maker who needs to justify, buy, or evaluate a penetration test.

What a pentest is and why it exists

A pentest is an authorized, simulated attack, run by professionals who use the same techniques as a real adversary, with the goal of measuring an organization’s concrete risk. The difference between a pentest and a real attack is only one thing: intent. The pentester finds the flaw, proves it is exploitable, and hands over the path to fix it, instead of causing harm.

The reason it exists is simple. Most security tools assess risk in theory. A vulnerability scanner flags that a port is open or that a software version is out of date. A pentest answers the question the board actually wants answered: can an attacker really get in, move across the network, and reach the critical data? That distinction between theoretical risk and exploitable risk is the core value of the test.

According to the IBM Cost of a Data Breach 2024 report, the global average cost of a data breach reached 4.88 million dollars, the highest figure ever recorded. The Verizon DBIR consistently shows that most breaches involve the exploitation of known vulnerabilities and the human factor. A pentest targets exactly those two points: it finds the exploitable flaw and tests how the organization responds.

How a pentest works in practice

A pentest works in sequential phases that reproduce the behavior of a real attacker, from initial reconnaissance to documenting the impact. Methodologies such as PTES (Penetration Testing Execution Standard) and NIST SP 800-115 formalize those phases to guarantee consistency and coverage.

The essential phases are:

  1. Planning and scope. Defines what will be tested (targets, systems, applications), the level of access granted, and the rules of engagement. This is the step that prevents operational noise and sets legal responsibility.
  2. Gathering information about the target, from public sources to mapping exposed infrastructure. It mirrors what an attacker would do before acting.
  3. Enumeration and vulnerability analysis. Identifying services, versions, configurations, and potential flaws. This is where manual techniques combine with tools, because a scanner alone does not find business logic flaws.
  4. The step that separates a pentest from a scan. The specialist attempts to exploit the flaws found to prove they are real and to measure the impact.
  5. Post-exploitation and lateral movement. Once inside, the pentester assesses how far they can go: escalating privileges, reaching other systems, getting to the critical data. This is what shows the real risk of a compromise.
  6. Documentation and reporting. A record of every finding, with evidence, severity classification, and a prioritized remediation recommendation.

 

The depth of each phase depends on the test model, detailed further below under black box, gray box, and white box.

Pentest, vulnerability scan, and Red Team: the differences

Confusing these three concepts is the most common mistake among those buying offensive security for the first time. They solve different problems and do not replace one another.

A vulnerability scan is automated and flags potential flaws at scale, without proving they are exploitable. A pentest is run by humans, validates which flaws are actually exploitable, and measures the impact of a compromise within a defined scope and time frame. A Red Team exercise goes further: it simulates a real, persistent adversary, without a narrow scope and without warning the defense team, in order to test not only the technology but also the people and the detection and response processes of the organization.

The practical rule: a scan is for continuous hygiene, a pentest is for validating risk at specific points, and a Red Team is for measuring the detection maturity of an organization that is already mature. Most companies start with a pentest and evolve to Red Team once their SOC and controls are established.

Types of pentest

The types of pentest vary according to the target being tested and the level of prior knowledge granted to the specialist. Choosing the right type is what ensures the test answers the risk question that matters to the organization.

By level of access:

Model
Prior Knowledge
Simulates
When to use
Black Box
None
External attacker with no information
Test real exposure as seen from outside
Grey Box
Partial (a standard user credential)
Insider or an attacker who already has access
Best cost-benefit and coverage
White box
Full (code, architecture, credentials)
Deep analysis with complete access
Critical applications and code review

By target:

  • External pentest: assesses the internet-facing perimeter (websites, VPN, public servers, email).
  • Internal pentest: simulates a threat already inside the network, whether an insider or an attacker who breached the perimeter.
  • Web application pentest: focuses on application flaws, guided by the OWASP Top 10 (injection, broken authentication, data exposure).
  • Mobile and API pentest: assesses apps and the interfaces that feed them.
  • Social engineering: tests the human factor with controlled phishing and pretexting.

 

Cloud infrastructure pentest: assesses AWS, Azure, or GCP configurations, where misconfiguration is the main cause of exposure.

Recognized pentest methodologies

A serious pentest is run on a formal methodology, not on the improvisation of whoever executes it. The methodology guarantees coverage, repeatability, and comparison across tests over time. The main references:

  • PTES (Penetration Testing Execution Standard): defines the seven standard phases of a test, from pre-engagement to reporting.
  • OWASP Testing Guide and OWASP Top 10: the reference for web application testing and the list of the most critical flaws.
  • NIST SP 800-115: the NIST technical guide for information security assessment.
  • OSSTMM: a security testing methodology manual oriented to metrics.
  • MITRE ATT&CK: a knowledge base of real adversary tactics and techniques, used to map and simulate threat behavior.

 

Using these methodologies, beyond raising the technical quality, is what makes the report defensible before auditors and regulators.

How much a pentest costs

The cost of a pentest varies according to scope, complexity, and depth, and in the Brazilian market it is usually priced per project or per day of specialized work. There is no price list because testing a single corporate website and testing an entire financial infrastructure are jobs of a different order of magnitude.

The main factors that influence price:

  1. Scope size: the number of IPs, applications, endpoints, and environments to test.
  2. Test model: black box, gray box, or white box (white box usually requires more hours).
  3. Technical complexity: custom applications, cloud architecture, and legacy systems increase the effort.
  4. Team seniority: professionals with certifications such as OSCP deliver a depth that no tool replaces, and that is reflected in the price.
  5. Compliance requirement: tests aimed at PCI-DSS or ISO 27001 demand additional documentation rigor.

The classic buying mistake is choosing by the lowest price. A cheap test is usually an automated scan disguised as a pentest, which delivers a list of false positives and no proof of exploitation. The right decision criterion is the depth of the methodology and the quality of the report, not the price in isolation.

Pentest and compliance: LGPD, ISO 27001, and PCI-DSS

A pentest is a control recognized by multiple security and data protection standards, serving as objective evidence that the organization actively assesses its risks. Although not every standard uses the word “pentest” literally, they all require regular vulnerability verification.

  • LGPD (Law 13.709/2018, Brazil): requires technical and administrative security measures to protect personal data. A pentest is one of the most direct ways to demonstrate that diligence to the ANPD, especially after an incident.
  • ISO/IEC 27001:2022: addresses technical vulnerability management and the continuous assessment of controls, and a pentest is the usual practice for meeting those requirements.
  • PCI-DSS v4.0: for anyone processing cardholder data, penetration testing is mandatory, with a defined frequency and a retest after significant changes.
  • BACEN Resolution 4.658 (Brazil): for financial institutions, it reinforces the requirement for security testing and assessments.

 

In short, a pentest is no longer just good technical practice. It has become a compliance item and a legal defense.

How often to run a pentest

The market recommendation is to run a pentest at least once a year, and always after significant changes to infrastructure, to critical applications, or to network architecture. Annual frequency is the floor, not the ceiling.

Triggers that justify a new test regardless of the calendar: launching or heavily updating an application, migrating to the cloud, a merger or acquisition, a requirement from a new contract or audit, and the response to an incident. High-criticality environments, such as the financial sector, tend to adopt a semiannual or quarterly cadence for their most exposed assets.

How Mercurius runs a pentest

Mercurius approaches pentesting with a real offensive mindset, run by certified engineers (OSCP, OSWE, among other credentials) who think like the attacker in order to protect like a strategist. The differentiator is not running a tool. It is proving the exploitable risk, mapping the path an adversary would take, and translating the technical finding into a business decision for the board.

Every project follows recognized methodologies (PTES, OWASP, NIST SP 800-115) and is mapped to MITRE ATT&CK, with a report that prioritizes remediation by real impact, not by the generic severity of a scanner.

Frequently asked questions about pentesting

What is the difference between a pentest and a vulnerability assessment? A vulnerability assessment is automated and lists potential flaws at scale, without proving they are exploitable. A pentest is run by specialists who exploit the flaws to prove they are real and to measure the impact of a compromise. One points to theoretical risk, the other validates exploitable risk.

Is a pentest required by law? Data protection laws such as the LGPD in Brazil do not use the word pentest literally, but they require adequate technical security measures to protect personal data, and a pentest is one of the most accepted ways to demonstrate that diligence. For companies that process cardholder data, PCI-DSS makes the test explicitly mandatory.

How long does a pentest take? It depends on the scope. A test focused on a single application usually takes one to two weeks. A project covering external and internal infrastructure plus applications can extend over several weeks, including documentation and the retest of fixes.

What should a good pentest report contain? A serious report includes an executive summary in business language, the list of findings with proof of exploitation, the severity classification and real impact, a prioritized remediation recommendation, and, ideally, a mapping to MITRE ATT&CK. A report that only delivers a scanner output list is not a pentest.

Can a pentest take down my systems? A professional pentest is run with agreed rules of engagement that minimize operational risk. High-impact techniques are only executed with explicit authorization and, when necessary, in a controlled environment or outside critical hours. The scope discussion in the planning phase exists precisely for this.

What is the difference between a pentest and a Red Team? A pentest has a defined scope and time frame and focuses on finding and proving vulnerabilities in specific targets. A Red Team simulates a real, persistent adversary, without a narrow scope and without warning the defense team, to also test the organization’s detection and response capability. Red Team is the next step for companies with already mature controls.

See your network the way an attacker does — before one does!

Mercurius runs manual-led Red Team, penetration testing and cloud assessments that don’t just list vulnerabilities — they prove the exact path an adversary would take to your crown jewels, and how to close it.

Attack Path → Crown Jewels RED TEAM
External Recon TA0043 · exposed asset Initial Access TA0001 · web exploit Priv. Escalation TA0004 · misconfig Lateral Movement TA0008 · cred reuse Crown Jewels
5 steps · 0 alerts triggered ● objective reached

Learn about the pentest and offensive security service from Mercurius

Did you enjoy the content? Share it with your network!

Categories

Last contents