Grant McGregor Blog

What Is Penetration Testing? A Guide for Businesses

Written by Grant McGregor Team | 17/07/26 17:52

You wouldn't move into a new office without checking that the locks and alarms work, access cards open the right doors, old codes have been disabled and restricted rooms are properly secured.

 

The same level of detail should go into testing your website, customer portal, cloud platform and internal network.

What the research shows

It's increasingly common for customers, insurers and auditors to ask for evidence of independent testing and the research figures show why.

 

The Cyber Security Breaches Survey 2025/2026 found that 43% of UK businesses reported having experienced a cyber security breach or attack in the previous 12 months, rising to 69% among large businesses. Across businesses of all sizes, however, only 15% had formally reviewed the cyber security risks posed by their immediate suppliers, while just 6% had reviewed risks across their wider supply chain.1

 

A survey of 500 Scottish businesses, commissioned by IT provider Innovec, found that one in eight had experienced a cyber-attack. More than half considered themselves vulnerable to one, while most said they would struggle to withstand a prolonged operational shutdown.2

 

Verizon's 2026 Data Breach Investigations Report, based on global breach data, found that 31% of breaches now start with software vulnerabilities, overtaking stolen passwords as the most common route in.3

 

What is penetration testing?

A penetration test (or a pen test) is a security assessment that identifies weaknesses in systems, applications and infrastructure.

 

Testers approach your website, application, cloud environment or network in the same way as a real attacker would, probing for weak points and seeing how far a weakness could take them.

A pen test provides an evidence-based report on where your organisation may be exposed, answering questions such as:

  • Can someone access something they shouldn't be able to?

  • Is an old account still operational?

  • Could a minor misconfiguration expose sensitive information?

  • Could one small weakness be exploited to cause much greater damage?

  • Are the controls you already have in place effective?

 

What happens during a penetration test?

The first stage is scoping. This involves agreeing what will be tested, why it is being tested, and the boundaries within which the testers must work.

Depending on the scope, a penetration test may cover the following:

  • web applications

  • mobile applications

  • web services and APIs

  • internal or external networks

  • wireless access points

 

Penetration testing and vulnerability scanning are not the same

Automated scanning tools are quick and effective at identifying missing patches, exposed services, and known misconfigurations.

 

What they can't do is human judgement. An automated tool can tell you a service is exposed to the internet. It can't tell you what a person could do once they reached it, or how one small issue combines with another to become a serious one.

 

Testing often begins with automated scans to identify possible weaknesses. The testers then move on to more detailed manual work, examining whether these weaknesses can be exploited and the extent to which an attacker could penetrate the system.

 

For example, a tester may verify if unauthorised access to restricted systems or sensitive information is possible, or if several smaller vulnerabilities could be exploited to gain wider access.

 

What should the report tell you?

 

Once testing is complete, the findings are analysed and presented in a report. This should explain what was discovered, the potential impact, and the recommended course of action.

 

A penetration testing report should be both understandable and actionable for decision-makers, not just security specialists.

 

It should set out:

  • what was tested
  • which weaknesses were found
  • how they were exploited
  • potential effect on the business
  • which findings need attention first
  • the recommended corrective action

 

The context behind each finding is important. The same technical issue may carry very different risks depending on where it appears, what information the system holds and whether it can provide access to other parts of the environment.

 

Depending on the scope, a pen test can uncover insecure settings, weak or reused passwords, missing updates, exposed cloud storage, forgotten test environments or ways for an attacker to reach systems and data they should not be able to access.

 

You can also identify issues that, while not high priority on their own, could become serious if combined with others.

A good tester will help you determine the necessary steps to address these gaps in the correct order. This will ensure that your environment is properly secured and that your time and budget are allocated to the areas that will reduce risk most effectively.

 

When should you consider a penetration test?

 

There is no one-size-fits-all schedule. Consider how critical your systems and applications are to your business, how frequently they change and the potential impact if they were compromised.

 

You may need a pen test if you are:

  • Launching a new website, portal, or application

  • Making significant changes to infrastructure, cloud services, or remote access

  • Responding to a tender, security questionnaire, or insurance requirement

  • Handling sensitive customer, financial, or operational data

 

Take the next step

Grant McGregor can help you define what should be tested, manage the assessment and understand the findings.

 

We partner with Bitdefender's CREST-accredited cyber security experts, using automated scanning and detailed manual techniques tailored to the environment being assessed.

 

Reports include prioritised findings, recommended next steps and remediation guidance.

 

Learn more about our penetration testing services.

 

Call us: 0131 603 7910

Message us: https://www.grantmcgregor.co.uk/contact-us

 

 

 

Sources
1Department for Science, Innovation and Technology and Home Office, Cyber Security Breaches Survey 2025/2026, published 30 April 2026.

 

2Innovec, survey of 500 Scottish SMEs, reported in Scottish Business News, "More than half of Scottish SMEs 'vulnerable' to cyber-attack," published 20 April 2026.

 

3 Verizon, 2026 Data Breach Investigations Report, published 19 May 2026. The report analyses breach data from 2025.