| Penetration testing is a controlled, authorised simulated cyber attack carried out by qualified security professionals to identify real-world weaknesses in your IT systems before genuine attackers can exploit them. |
Most businesses only discover their security gaps after an attacker has already walked through them. By that point, the damage is usually done.
Penetration testing flips that order. It puts a trained ethical hacker in the role of the attacker, with permission and an agreed scope, so the cracks are found first.
This guide explains what penetration testing is, how it differs from a basic scan, the main types you can choose from, what a quality engagement looks like, and how often a business should run one.
What Is Penetration Testing?
Penetration testing is a hands-on security assessment that mimics the methods a real attacker would use against your business. The goal is to discover and demonstrate exactly how a weakness could be exploited, not just flag that one might exist.
A typical engagement involves an experienced tester, sometimes called an ethical hacker, working through a defined scope of systems, applications, or people. They probe, prod, and chain together small weaknesses until they reach data, accounts, or systems that should have been off-limits.
Unlike a generic scan, the output of this work is grounded in real-world impact. It tells you what an attacker could actually do, not just what theoretically might be possible.
How does it differ from a vulnerability scan?
A vulnerability scan is automated. It runs a tool against your environment, compares findings against a database of known issues, and produces a list. The scan does not verify whether those issues can really be exploited or what an attacker would do once they got in.
By contrast, a manual security test is creative work. Testers use scans as a starting point, then apply human judgement to combine findings, test assumptions, and demonstrate genuine business risk.
For more on the wider picture, an annual cybersecurity risk assessment complements penetration testing by mapping risks at a strategic level, while pen testing proves how those risks would play out in practice.
What does an ethical hacker actually do?
An ethical hacker follows a structured methodology that mirrors how criminal attackers work, but stops short of causing harm. They map your external footprint, look for exposed services, test login pages, probe applications for flaws, and try to escalate access once inside.
Throughout the engagement, every action is logged. Findings are documented with evidence, severity ratings, and clear steps to fix. Nothing about the process is hidden from you.
Why Penetration Testing Matters for NZ Businesses
Penetration testing matters because attackers do not wait for convenient timing. They look for the weakest reachable target, and undetected weaknesses become the foothold for ransomware, data theft, and prolonged downtime. Proving in advance that your defences hold up against realistic methods is far more valuable than discovering after the fact that they did not.
For NZ businesses, the stakes are higher than many owners realise. The Privacy Act 2020 places clear obligations on how personal information is protected, and breaches must be notified to the Office of the Privacy Commissioner when serious harm is likely. A well-scoped penetration test gives you evidence that you are taking reasonable steps to meet those obligations.
What are the real-world costs of a breach?
The direct costs of a breach include incident response, legal advice, customer notifications, and system recovery. The indirect costs are often larger: lost productivity, lost customers, lost trust, and rising insurance premiums.
In many incidents, the weakness exploited was something penetration testing would have surfaced months earlier. Investing in proactive cyber security is consistently cheaper than reacting to a confirmed breach.
How does it support compliance?
Many cyber insurers, industry regulators, and enterprise customers now require evidence of regular security testing. A documented engagement of this kind is the most credible form of that evidence.
A signed report from an independent tester can support cyber insurance applications, vendor security questionnaires, and tender responses. It also gives directors a defensible audit trail showing the business is meeting its duty of care.
What Are the Main Types of Penetration Testing?
The right type of test depends on what you need to protect and what you have already secured. Most businesses combine two or three types over a year rather than relying on a single annual exercise.
Network penetration testing
Network penetration testing focuses on the infrastructure that connects your devices, servers, and cloud services. The tester looks for misconfigured firewalls, exposed services, weak protocols, and unpatched systems.
External network testing simulates an attacker on the internet. Internal network testing simulates someone already inside, whether a malicious staff member or an attacker who has bypassed the perimeter.
Web application testing
Web application testing targets your websites, customer portals, and bespoke business apps. These often handle sensitive data and are exposed to the internet around the clock, which makes them a high-value target.
Testers look for issues like injection flaws, broken authentication, insecure session handling, and access control mistakes that would let one user view another user’s data.
Social engineering and phishing simulations
Technical controls fail when people are tricked. Social engineering tests evaluate how staff respond to phishing emails, phone-based pretexting, and other manipulation attempts.
Results inform employee security awareness programmes and identify exactly where additional training is needed, rather than relying on guesswork.
External vs internal penetration testing
External penetration testing assesses what an attacker on the open internet can see and reach. An internal test assumes the perimeter has already been breached and asks how much damage someone could do from inside.
Both have value. External tests confirm the front door is locked. Internal tests confirm the rooms inside are not all left wide open.
How Does Penetration Testing Work?
A professional engagement follows a clear methodology with four broad phases. Each phase has its own purpose and produces evidence that informs the next.
Reconnaissance and scoping
The engagement begins with a clear scope agreed in writing. What systems are in play, what is off-limits, when can testing occur, and who is the emergency contact if something breaks.
The tester then performs reconnaissance, gathering openly available information about your business. The aim is to model what a real attacker would learn before launching anything intrusive.
Scanning and exploitation
Scanning identifies live systems, open ports, running services, and known vulnerabilities. The tester uses both commercial tools and manual techniques to map your attack surface.
Exploitation is where penetration testing earns its name. The tester attempts to use the weaknesses found, chaining them together where possible, to demonstrate concrete impact. This stage is conducted carefully to avoid affecting production systems beyond what is agreed.
Post-exploitation and lateral movement
Once initial access is gained, the tester looks at what happens next. Can they move from a low-privilege user to an administrator account? Can they reach customer data, financial records, or backup systems?
This phase is the difference between a finding that reads outdated software and one that reads outdated software allowed full domain access in 47 minutes. The second is what wakes leadership up to the real risk.
Reporting and remediation
Every engagement should conclude with a detailed report. The report includes an executive summary, technical findings, evidence, severity ratings, and prioritised remediation steps.
A good provider will walk you through the findings with your IT team, answer questions, and offer a retest once fixes are in place. The retest confirms that the issues identified during the original work have actually been resolved.
The executive summary deserves particular attention. It should explain, in language a board can read, what was tested, what was found, what it means commercially, and what needs to happen next. If the executive summary reads like a technical appendix, the report is not doing its job.
How Often Should Your Business Run Penetration Testing?
Most NZ SMEs benefit from annual penetration testing, with additional tests triggered by significant changes to the IT environment. An annual cadence matches the rate at which new vulnerabilities emerge and how quickly business systems evolve.
Higher-risk businesses, such as those in finance, healthcare, or any regulated sector, often test more frequently. Quarterly or six-monthly cycles are common where customer trust and compliance obligations are central to the business.
Trigger events that warrant a fresh test
Beyond an annual baseline, certain events should prompt a new penetration test even if you tested recently. These include a major change to your network, cloud environment, or core systems; the launch of a new customer-facing application or portal; a merger, acquisition, or onboarding of a new business unit; a confirmed security incident or near miss; and a new compliance requirement or cyber insurance renewal.
It also pays to prepare internally before the engagement begins. Make sure your IT team knows what is happening, that backups are recent and verified, and that an out-of-hours contact is named. Good preparation keeps findings actionable rather than mixed up with unrelated incidents that surface during the testing window.
In each of these cases, your previous testing no longer reflects your current attack surface. Working with a managed IT services partner that builds regular security testing into its programme makes the cadence simpler to maintain.
What to Look For in a Penetration Testing Provider
Not all penetration testing services are equal. Skills, methodology, and reporting quality vary widely, and the wrong provider can produce a report that looks impressive but misses real risk.
Certifications and experience
Look for testers with recognised credentials such as OSCP, CREST, or CISSP. Certifications are not everything, but they confirm the tester has been independently assessed on practical skill rather than only theory.
Ask how many engagements the team runs per year, in what industries, and against environments similar to yours. A tester who works mostly on large enterprise networks may not be the best fit for a 30-person NZ business, and vice versa.
Reporting quality
Ask to see an anonymised sample report. A strong report explains findings in plain English for the executive team and in technical detail for the IT team. It includes business impact, not just technical descriptions, and gives clear remediation steps.
A weak report is a 50-page printout of automated scanner output, with severity ratings copied verbatim and no real human analysis. That is not penetration testing. It is a scan with a cover page.
Scope and methodology
A good provider will help you scope the test to match your real risks and your budget. They will explain their methodology, reference frameworks like OWASP, PTES, or NIST, and be transparent about what they will and will not do.
If a provider promises to find every vulnerability or guarantees a clean report, walk away. Both promises are red flags and a sign the engagement will deliver false comfort rather than real assurance.
Strengthen Your Cyber Defences in Christchurch and Dunedin
Exodesk works with businesses across the South Island to plan, run, and act on penetration testing as part of a layered cyber security programme. Whether you are testing for the first time or seeking a fresh perspective, our team can help turn findings into measurable improvements.
Contact us today to discuss how we can help your business or connect with us on LinkedIn to stay updated with more insights.
Frequently Asked Questions
What is penetration testing in simple terms?
Penetration testing is a controlled simulated cyber attack on your IT systems, carried out by qualified security professionals with your written permission. The goal is to find weaknesses before real attackers do, and show you exactly how they could be exploited. The result is a clear report of risks and how to fix them.
How is penetration testing different from a vulnerability scan?
A vulnerability scan is an automated check that lists potential issues from a database of known weaknesses. A manual test goes further by verifying those issues, chaining them together, and demonstrating real-world impact. Scans tell you what might be wrong; a proper engagement shows what an attacker could actually do.
How long does a penetration test take?
A typical engagement for a small to mid-sized NZ business takes one to three weeks from kickoff to final report. Scoping and reconnaissance usually take a few days, active testing runs for one to two weeks, and reporting takes about a week. Larger or more complex environments may take longer.
Will penetration testing disrupt our operations?
A well-scoped engagement is designed to avoid operational disruption. Testers schedule intrusive activities outside business hours where needed, agree clear stop conditions in advance, and stay in regular contact with your team. Some residual risk remains, which is why scope, communication, and emergency contacts matter so much.
How much does penetration testing cost?
Costs vary based on scope, the type of test, the size of your environment, and the experience of the provider. A focused external network test is generally far less expensive than a multi-week red team engagement. Speak with a qualified provider for a quote tailored to your business and risk profile.
Do small businesses really need penetration testing?
Yes. Small businesses are often targeted precisely because attackers expect weaker defences. A focused test scaled to a small environment is affordable, and it demonstrates due diligence to customers, insurers, and regulators. Skipping it because the business is small is a common and costly mistake.
What is the difference between penetration testing and red teaming?
Penetration testing usually has a defined technical scope and is announced to relevant stakeholders. Red teaming is broader, longer, and tests how well your people, processes, and technology respond to a realistic attack scenario, often without your wider team knowing it is happening. Most businesses should establish a regular testing rhythm before considering red teaming.
Does penetration testing help with NZ Privacy Act compliance?
Penetration testing supports compliance with the NZ Privacy Act by demonstrating that you are taking reasonable steps to protect personal information. It is not specifically mandated, but it is widely accepted as evidence of due diligence in the event of a breach investigation. Many cyber insurers also expect or require it.
What should we do after a penetration test?
Prioritise the findings by risk and act on the high and critical issues first. Engage your IT team or provider to plan remediation, agree timelines, and track progress. Once the fixes are in place, request a retest so the provider can confirm the issues have been resolved before closing them out.
How do we choose the right penetration testing provider?
Look for testers with recognised certifications, clear methodology, and strong sample reports. Ask about their experience with businesses of your size and sector, and confirm they understand the NZ regulatory environment. Treat penetration testing as a partnership: the best results come when your provider engages with your IT team rather than delivering a PDF and disappearing.
