Free Pen Test,

Expensive Afternoon

Gavin Woods

A free penetration test can sound like an easy win. It feels like a simple way to check how well your security is being managed. The reality is that, without the right planning, it can sometimes create problems of its own.

When Good Security Looks Like a Problem

You can understand the thinking. Someone offers a free pen test and you think, "I'll get a better idea of how my MSP is managing my security." That is perfectly reasonable. The only issue is that penetration testing is not without risk.

There have been increasing reports of Security Operations Centres (SOCs) identifying what appears to be a serious cyber attack, only to discover later that it was an authorised penetration test. In the meantime, security systems have done exactly what they were designed to do: block activity, isolate devices, and protect the network.

By the time the right people get on a call and join the dots, a couple of hours can disappear. Reversing the lockdown is usually straightforward. Recovering the lost productivity, and any reputational damage that comes with it, can be a different matter altogether.

Trust First, Test Second

For me, the bigger question is whether you have a managed service provider you trust. Your MSP should be able to walk you through your security posture without needing a penetration test to tell you whether things are working. You should have visibility of your environment through reporting, metrics, and dashboards, and understand where improvements may still be needed.

This is not to say penetration tests are not worthwhile. They absolutely are. In fact, they are one of the best ways to validate that your security controls are working as intended. The important thing is communication. If you are arranging a penetration test, your MSP should know about it beforehand so they can inform the SOC and avoid unnecessary disruption.

Don't Skip the Foundations

There is also the question of cost. The worthwhile penetration tests are rarely cheap. If your reporting already shows that you are coming up short because of postponed system replacements, missing security controls, or sub-optimal licensing, it makes little sense to spend money proving what you already know. To borrow an old phrase, there is no point spending money testing whether the horse can escape if you have not yet built the stable door.

Configuration comes first. Penetration testing comes afterwards. The organisations that get the most value from penetration testing are usually the ones that have already done the hard work of putting the right controls in place and simply want reassurance that those controls can be trusted. As with all of these topics, if you have questions, speak with your account manager or get in touch directly. We are always happy to talk through the options and help you decide what is right for your business.

Fix the Fundamentals First

There is also the question of cost. The worthwhile penetration tests are rarely cheap.If your reporting already shows that you are coming up short because of postponed system replacements, missing security controls, or sub-optimal licensing, it makes little sense to spend money proving what you already know. To borrow an old phrase, there is no point spending money testing whether the horse can escape if you have not yet built the stable door.

Configuration comes first. Penetration testing comes afterwards. The organisations that get the most value from penetration testing are usually the ones that have already done the hard work of putting the right controls in place and simply want reassurance that those controls can be trusted.

As with all of these topics, if you have questions, speak with your account manager or get in touch directly. We are always happy to talk through the options and help you decide what is right for your business.

Ready to get started?

We can support your existing team or become your dedicated IT department. Your choice, our expertise.

Our use of cookies

Some cookies are necessary for us to manage how our website behaves while other optional, or non-necessary, cookies help us to analyse website usage. You can Accept All or Reject All optional cookies or control individual cookie types below.

You can read more in our Cookie Notice

Functional

These cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

Analytical cookies help us to improve our website by collecting and reporting information on its usage.

Third-Party Cookies

These cookies are set by a website other than the website you are visiting usually as a result of some embedded content such as a video, a social media share or a like button or a contact map