How long does a penetration test take?

Duration depends heavily on scope. An external network penetration test for a small organization typically runs 3-5 days of active testing. A comprehensive internal network test may run 5-10 days. Web application tests depend on application complexity — simple apps in 2-3 days, complex applications with extensive API surfaces in 5-10 days. Social engineering assessments run on defined campaign windows, typically 2-4 weeks for phishing simulations. We scope every engagement during a discovery call, and we provide a clear time estimate before work begins.

Will penetration testing disrupt our systems or cause downtime?

Professional penetration testing is conducted with care to minimize operational impact. We work within agreed rules of engagement that define what is in scope, what is out of scope, and what actions require pre-authorization before execution. Denial-of-service testing and destructive techniques are explicitly excluded unless you request them and agree to the risk. We maintain continuous communication during the engagement so your team knows what is being tested and can monitor for any unexpected impact. In most engagements, users experience no disruption at all.

What credentials or information do you need before starting?

That depends on the test type. External network testing typically begins with only your organization name and IP ranges — simulating an attacker who starts with public information. Internal testing begins with a network connection and often a low-privileged domain account to simulate a compromised employee workstation. Web application testing can be conducted unauthenticated (anonymous user perspective), authenticated (standard user), and with elevated roles. For each engagement, we define the starting conditions during scoping to match the threat scenarios most relevant to your environment.

How is your penetration testing different from running an automated scanner?

Automated scanners identify known vulnerabilities by comparing your configurations against a vulnerability database. They are fast and cover broad surface area. What they cannot do is think. A penetration tester identifies the path from an initial foothold to your most sensitive data by chaining vulnerabilities together — a low-severity misconfiguration plus an unpatched library plus a weak service account password might together yield domain administrator access. That attack chain is invisible to a scanner but obvious to a skilled tester. We also find business logic flaws, authentication bypass conditions, and configuration weaknesses that have no CVE number and will never appear in a scanner report.

Do you provide remediation support after the test?

Yes. Every engagement includes a remediation debrief call where our testers walk your technical team through findings and answer questions about remediation approaches. Our reports include specific, actionable guidance — not just "patch this CVE" but "here is the exact configuration change needed and why." For organizations that want hands-on remediation assistance, we offer remediation support as a separate engagement. After remediation of critical and high findings, we conduct a targeted retest at no additional charge to verify the fixes are effective.

Penetration Testing Services | Vigil Cyber — Find Weaknesses Before Attackers Do

Key Distinction

Vulnerability Scan vs. Penetration Test

Both matter. Neither replaces the other. Understanding the difference determines whether you're buying the right assessment for the risk you're trying to understand.

Vulnerability Scan

Automated, non-exploitative process
Compares configurations against known CVE databases
Runs continuously or on a scheduled cadence
Identifies theoretical vulnerabilities
Does not validate exploitability in your specific context
Generates large lists of findings requiring prioritization
Low cost, high frequency — operational hygiene

Penetration Test

Manual, adversarial process conducted by skilled testers
Actively exploits vulnerabilities to demonstrate real impact
Point-in-time assessment with defined scope and rules of engagement
Identifies chained attack paths a scanner cannot discover
Validates what is actually exploitable, not just theoretical
Produces prioritized, business-contextualized findings
Higher cost, lower frequency — adversarial validation

Bottom line: Vulnerability scanning is ongoing operational hygiene — run it continuously. Penetration testing is adversarial validation — run it annually at minimum, and after significant infrastructure changes. Compliance frameworks like PCI DSS, HIPAA, SOC 2, and CMMC require both.

Service Portfolio

Penetration Testing Services

We offer a full range of testing methodologies. Scope is determined by your risk priorities, compliance requirements, and the specific systems you need validated.

External Network Penetration Testing

Internet-Facing Infrastructure

Identify exploitable entry points before attackers find them.

Simulates an external attacker attempting to breach your perimeter. Covers public-facing IPs, VPNs, firewalls, remote access solutions, exposed services, and DNS infrastructure. We use the same tools and techniques as threat actors — OSINT reconnaissance, service enumeration, exploitation, and lateral movement — to demonstrate what a real attacker could accomplish from the outside.

Internal Network Penetration Testing

Assume-Breach Scenario

Understand what an attacker can do once inside your network.

Simulates an insider threat or a compromised device — the scenario where an attacker already has a foothold inside your network. We attempt privilege escalation, lateral movement, credential harvesting, and data exfiltration from an internal position. Critical for organizations where the perimeter has already been tested but internal segmentation and detection capabilities have not.

Web Application Penetration Testing

OWASP Top 10 and Beyond

Find logic flaws and injection vulnerabilities before customers or attackers do.

Manual testing of web applications for authentication weaknesses, authorization flaws, injection vulnerabilities (SQL, XSS, XXE), business logic errors, API security gaps, and session management issues. We go beyond automated scanners — manual testing finds the chained vulnerabilities and logic flaws that tools miss. Reports map findings to OWASP Top 10 and include developer-ready remediation guidance.

Social Engineering Assessments

Phishing, Vishing, and Physical

Measure your human layer — your employees are part of the attack surface.

Simulated phishing campaigns, pretexting calls (vishing), and physical security assessments that test whether your people and processes can withstand manipulation. Results identify which employee groups click at highest rates, which pretexts bypass your controls, and where security awareness training investments will have the greatest impact on reducing human risk.

Wireless Security Testing

Wi-Fi and Rogue Access Points

Verify your wireless network cannot be used to bypass your wired security controls.

Tests wireless network configurations for encryption weaknesses, rogue access points, guest network isolation, authentication bypass opportunities, and Evil Twin attack feasibility. Many organizations invest heavily in perimeter and endpoint controls while leaving wireless as a convenient bypass for an attacker with physical proximity to the building.

Remediation Guidance and Retesting

From Finding to Fixed

Verify remediation was effective, not just completed.

Every engagement includes a detailed remediation report with specific, actionable guidance for each finding — not generic recommendations. After your team remediates critical and high findings, we conduct a targeted retest to verify the fix was effective and didn't introduce new issues. Retest results are documented for compliance reporting and underwriting evidence.

Our Methodology

How We Run an Engagement

Every engagement follows a structured methodology grounded in industry frameworks — PTES, OWASP, NIST 800-115 — tailored to your environment and objectives.

1

Scoping

Define target systems, rules of engagement, testing windows, and emergency contacts.

2

Reconnaissance

OSINT, DNS enumeration, and passive intelligence gathering on the target environment.

3

Enumeration

Active scanning, service discovery, and identification of attack vectors.

4

Exploitation

Manual exploitation attempts to demonstrate real-world impact of identified vulnerabilities.

5

Post-Exploitation

Lateral movement, privilege escalation, and data access demonstration within agreed scope.

6

Reporting

Executive summary plus technical findings with risk ratings and remediation guidance.

What You Receive

Executive summary for non-technical leadership

Technical findings report with CVSS scores

Attack narrative — how findings chain together

Evidence: screenshots, tool output, proof-of-concept code

Remediation guidance for each finding

Risk-prioritized remediation roadmap

Retest verification after remediation (included)

Compliance mapping (PCI, HIPAA, NIST, CMMC)

Compliance-Driven Testing

Penetration Testing for Compliance Requirements

Compliance frameworks don't just recommend penetration testing — several require it explicitly. Our reports are formatted to satisfy the documentation requirements of each framework.

PCI DSS

PCI DSS v4.0 — Requirement 11.4

PCI DSS v4.0 Requirement 11.4 mandates penetration testing of external and internal network infrastructure and application components at least annually and after any significant change. Testing must follow an industry-accepted methodology. Our reports include the documentation and evidence required for QSA review.

HIPAA

HIPAA Security Rule — Risk Analysis

While HIPAA does not mandate penetration testing by name, OCR guidance and the Security Rule's risk analysis requirement make it a standard practice for thorough risk assessment. Penetration testing provides empirical evidence of exploitability that a vulnerability scan alone cannot. Our healthcare-focused engagements address ePHI system access paths specifically.

SOC 2

SOC 2 — Common Criteria 9.2

SOC 2 auditors expect evidence that organizations test the effectiveness of their security controls, not just their existence. Penetration testing — documented with findings, remediation tracking, and retest results — provides compelling evidence for Common Criteria 9.2 (risk monitoring) and supports the availability and confidentiality trust service criteria.

CMMC

CMMC Level 2 — CA.L2-3.12.1

CMMC Level 2 requires periodic assessments of security controls to evaluate whether the controls are effective. For contractors handling Controlled Unclassified Information (CUI), penetration testing is the strongest evidence that controls are effective — not just documented. Our CMMC-aligned engagements produce the assessment documentation required for C3PAO review.

Annual Penetration Testing

A structured, comprehensive adversarial assessment conducted once or twice per year. Validates your security posture at a point in time, satisfies annual compliance requirements, and provides board-level reporting on security risk.

Satisfies annual compliance penetration testing requirements
Comprehensive scope across full environment
Board-ready executive reporting on security risk
Clear before/after comparison year over year
Predictable cost for budget planning

Best for: compliance deadlines, budget-constrained programs, initial baseline assessments

Continuous / Ongoing Testing

Recurring engagements — quarterly targeted tests, continuous attack surface monitoring, or a retainer-based model — that keep pace with your evolving environment and provide ongoing assurance between annual assessments.

Tests new infrastructure before attackers discover it
Quarterly targeted tests on high-risk systems
Tracks security posture improvement over time
Covers application releases and environment changes
Retainer pricing reduces per-engagement cost

Best for: rapid growth environments, cloud-heavy architectures, frequent application releases

Related Resources

Service

Frequently Asked Questions

Ready to Secure Your Business?

Get a free security assessment and discover how Vigil Cyber can protect your organization for a fraction of the cost of building an internal team.

24/7

SOC Coverage

<1hr

Response Time

99.9%

Uptime SLA

Schedule a Consultation Call (980) 300-8737

Penetration Testing: See Your Network Through an Attacker's Eyes