US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10

EMEA Region

ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43


Grandmetric LTD
Office 584b
182-184 High Street North
E6 2JA
+44 20 3321 5276

  • en
  • pl
  • Penetration testing, or how to take care of cyber security

    Pentesting, or how to take care of cyber security

    Date: 31.03.2022

    Category: Security

    Spectacular bank robberies with a gun in hand and a stocking on the face are history. Modern criminals moving into cyberspace use much more sophisticated ways to make a profit. If we do not focus on regular pentests and do not take care of the proper security of the website or network edge, we can painfully find out about the effects of cyberattacks on our own skin.

    How to protect yourself from hackers? Don’t let them overtake you and… hire one of them. Of course, it is about an ethical hacker (white hat hacker) who tests the vulnerability of systems to threats using pentesting techniques for this purpose.

    Penetration testing service at Grandmetric

    Pentesting – what is it?

    A pentest is an ethical hacking attack carried out in a controlled manner, at the request of the owner of the ICT infrastructure, network or application.

    It is used to detect errors that threaten the security of the tested system. The most common causes of security errors are:

    • outdated software or its components
    • wrong configuration
    • software or hardware vulnerabilities
    • insufficient security procedures
    • technical shortcomings
    • carelessness of users

    Pentesters play the role of hackers in this situation, but they work “in white gloves” with the task to discover system vulnerabilities and to indicate places vulnerable to a potential attack.

    How is pentesting performed?

    Pentests should be carried out in a systematic manner and may have a different scope, most often they are part of the audit of IT systems and infrastructure. Their main purpose is to examine how resistant a given network is to hacking and how effective the security measures are. An essential part of each test is a report that describes the identified problems. It should always contain recommendations aimed at their effective elimination.

    The vulnerability of the system to threats is determined on a scale of 1-10 using CVSS standards (The Common Vulnerability Scoring System).

    Pentests – types

    Pentests differ in the level of knowledge about the tested system that is made available to pentesters by the client. We distinguish:

    • white box or crystal box tests with the full knowledge of pentesters, who have at their disposal documentation of the infrastructure project, information on the configuration of network devices or the source code of the website. White box pentesting is used to analyze errors at the system construction level, omitting the end user’s perspective
    • black box tests with minimal knowledge of pentesters – they best reflect a real cyberattack and require a lot of work on the part of testers, whose knowledge may be limited only to the address of the website whose security they are testing. Black box pentesting is used to analyze errors at the level of how the system works. They make it possible to identify behavioral errors that are difficult to detect by developers, and with a creative approach, it gives a wide field of action
    • gray box tests, which are a hybrid of both of the above mentioned methods; in their case, the knowledge of the pentesters concerns only some part of the examined area. Gray box pentests enable a comprehensive analysis of errors both at the level of construction and operation of the system, as well as end users based on authorization data from the client

    White box, black box and gray box – comparison of penetration tests

    White boxBlack boxGray box
    Structural testingFunctional testingStructural and functional testing
    Knowledge of the internal structure of the systemLack of knowledge of the internal structure of the systemPartial knowledge of the internal structure of the system
    Knowledge of system functionalityLack of knowledge of system functionalityPartial knowledge of system functionality
    Focused on analyzing the source codeAnalyzes the external characteristics and operation of the systemAnalyzes both the source code and the operation of the system
    Requires programming knowledge and in-depth knowledge of the code responsible for the tested areaCan be carried out by testers with little knowledge of programming, which allows them to approach the perspective of an “ordinary user”Requires programming knowledge and knowledge of the source code language
    The high level of automation allows you to quickly test large parts of your codePartially automated and/or manual testing can be time consumingTesting is time-consuming due to its complexity
    Identifies errors “from the inside” at the level of code logic, bypassing the end-user perspectiveAllows you to identify behavioral errors that are difficult to detect by developers, and with a creative approach, it gives a wide field of actionAllows you to detect both structural (code-level) and functional (use-level) errors
    Medium level of detail, medium comprehensive approachLow level of detail, not a comprehensive approachHigh level of detail, most comprehensive approach

    Basic differences between types of tests

    About pentesting methodologies

    Pentesting methodologies are a kind of guides (especially valuable for novice pentesters) describing what procedures should be followed and what actions to take.

    Different methodologies (frameworks) are useful depending on the area we want to test, including:

    However, we will not find technical details or testing algorithms in them. This is why the experience, creativity, perseverance and knowledge of the pentester who conducts it is crucial to the success of the pentest. His role requires a wide range of competencies, not only technical but also communication and management.

    How to check the competence of a pentester?

    The technical competence of pentesters is confirmed by certificates, such as:

    • OSCP (Offensive Security Certified Professional) – confirms general technical competence to conduct pentests
    • OSWP (Offensive Security Wireless Professional) – confirms technical competence in testing wireless networks
    • eWPT (eLearnSecurity Web application Penetration Tester) – confirms technical competence in the field of pentesting web applications
    • CEH (Certified Ethical Hacker) – confirms competence in testing systems using the same knowledge and tools as a malicious hacker, but in a legal manner

    Pentesting – FAQ

    What are the phases of a penetration test?

    1. Reconnaissance – a key stage consisting in collecting as much data as possible necessary to conduct the test
    2. Scanning – checking existing security mechanisms
    3. Exploitation – an attempt to break the security of the system, i.e. a service or an application
    4. Escalation – an extension of privileges and further steps in the network or system
    5. Report – contains a detailed description of the methods used in the cyberattack simulation, detected errors and vulnerabilities, and recommendations for actions to eliminate them

    What are the benefits of performing pentesting?

    • Verification of the effectiveness of system security
    • Examination of the vulnerability of the system to a potential cyberattack
    • Obtaining recommendations for improving system security
    • Avoiding the huge costs associated with system disruption in the enterprise

    How often should pentests be performed?

    The best way to take care of cybersecurity is to conduct penetration tests periodically, at least once a year, and also when changes are made to the systems. After the pentest phase, it is also worth performing a re-test, i.e. verification of the introduced changes (checking whether they have been implemented correctly and have not led to the creation of new security holes).

    How long does a penetration test take?

    Depending on the type, size and complexity of the tested structure, the pentest may last from several days to several weeks.


    Steve Morgan, editor-in-chief of Cybercrime Magazine, estimates that in 2025 global cybercrime will require $10.5 trillion (!) to repair losses.

    Many factors contribute to these year-on-year costs – data loss or destruction, business disruption, theft of money or intellectual property, criminal investigations, restoration or removal of compromised data and systems, and loss of customer trust.

    Our audits show that the most common mistakes are those that can easily be avoided by keeping your software up to date and properly securing your network.

    Everything indicates that prevention is by far the most profitable. And if we want to take care of our cybersecurity, prevention is better than cure.


    Magdalena Sikorska

    Marketing Specialist at Grandmetric

    Leave a Reply

    Your email address will not be published. Required fields are marked *