Penetration testing - service or commodity

imagensecforcepost.png

We face this kind of issue everyday. There are two different approaches to web application penetration tests:

Penetration testing is all about assurance. In the first case the client will get some useful results, no doubt about it, but what level of assurance is it going to get? The report will cover the vulnerabilities discovered by XYZ software. Is that enough? I don’t think so, but that is for the client to decide. There is no question that the report will be incomplete and many issues will be missed.

In the second scenario the client can get the assurance that the results obtained were the work of a motivated attacker focused on the application security for X numbers of days. Is that enough? Again, it is up to the client to decide but in my opinion it gets so much closer to an acceptable assurance level.

It all depends on what do you want to be protected against. The decision in yours.

You may also be interested in...

A02 LLM GOAT
Feb. 5, 2026

LLMGoat - A02 Sensitive Information Disclosure

This post is the second in a series of 10 blog posts and it covers the solution to the Sensitive Information Disclosure challenge from LLMGoat.

See more
Unhooking-Technique.png
June 25, 2021

Whisper2Shout – Unhooking technique

This blog post is the first part of a series focused on malware detection evasion techniques on Windows. In particular, we look at userland API hooking techniques employed by various security products and ways to identify and bypass them.

See more