A free penetration test can sound like an easy win. It feels like a simple way to check how well your security is being managed. The reality is that, without the right planning, it can sometimes create problems of its own.
When Good Security Looks Like a Problem
You can understand the thinking. Someone offers a free pen test and you think, "I'll get a better idea of how my MSP is managing my security." That is perfectly reasonable. The only issue is that penetration testing is not without risk.
There have been increasing reports of Security Operations Centres (SOCs) identifying what appears to be a serious cyber attack, only to discover later that it was an authorised penetration test. In the meantime, security systems have done exactly what they were designed to do: block activity, isolate devices, and protect the network.
By the time the right people get on a call and join the dots, a couple of hours can disappear. Reversing the lockdown is usually straightforward. Recovering the lost productivity, and any reputational damage that comes with it, can be a different matter altogether.
A penetration test should improve confidence in your security, not accidentally trigger the very response your security systems were designed to deliver.
Trust First, Test Second
For me, the bigger question is whether you have a managed service provider you trust. Your MSP should be able to walk you through your security posture without needing a penetration test to tell you whether things are working. You should have visibility of your environment through reporting, metrics, and dashboards, and understand where improvements may still be needed.
This is not to say penetration tests are not worthwhile. They absolutely are. In fact, they are one of the best ways to validate that your security controls are working as intended. The important thing is communication. If you are arranging a penetration test, your MSP should know about it beforehand so they can inform the SOC and avoid unnecessary disruption.
Don't Skip the Foundations
There is also the question of cost. The worthwhile penetration tests are rarely cheap. If your reporting already shows that you are coming up short because of postponed system replacements, missing security controls, or sub-optimal licensing, it makes little sense to spend money proving what you already know. To borrow an old phrase, there is no point spending money testing whether the horse can escape if you have not yet built the stable door.
Configuration comes first. Penetration testing comes afterwards. The organisations that get the most value from penetration testing are usually the ones that have already done the hard work of putting the right controls in place and simply want reassurance that those controls can be trusted. As with all of these topics, if you have questions, speak with your account manager or get in touch directly. We are always happy to talk through the options and help you decide what is right for your business.
Fix the Fundamentals First
There is also the question of cost. The worthwhile penetration tests are rarely cheap.If your reporting already shows that you are coming up short because of postponed system replacements, missing security controls, or sub-optimal licensing, it makes little sense to spend money proving what you already know. To borrow an old phrase, there is no point spending money testing whether the horse can escape if you have not yet built the stable door.
Configuration comes first. Penetration testing comes afterwards. The organisations that get the most value from penetration testing are usually the ones that have already done the hard work of putting the right controls in place and simply want reassurance that those controls can be trusted.
As with all of these topics, if you have questions, speak with your account manager or get in touch directly. We are always happy to talk through the options and help you decide what is right for your business.