News

Do You Actually Need a Penetration Test? (And What It Won’t Tell You)

do-you-need-a-penetration-test

“We had a penetration test last year.” It’s one of the most common sentences we hear from prospective clients — usually said with a mix of pride and relief, as if the box has been ticked and the risk has been dealt with.

It hasn’t. If you’re asking whether you need a penetration test, the honest answer is: probably yes — but not in the way most businesses think.

A pen test is a snapshot. It tells you whether a skilled tester could break into your systems on the day they tried. It says almost nothing about what happens the other 364 days of the year, when your attack surface has changed, a new starter has clicked a phishing email, or an unpatched laptop has quietly rejoined the network. Buying a penetration test without understanding what it can and can’t do is a lot like the “cheap IT support” trap we’ve written about before: it looks like a solution, but it’s solving the wrong problem.

What a penetration test actually does

A penetration test is a controlled, time-boxed attempt to exploit weaknesses in your network, applications, or people. Done well, it’s genuinely valuable — it validates that your defences hold up against real attacker techniques, and it produces a prioritised list of fixes.

But it has three built-in limits:

  • It’s a point in time. The moment testing ends, your risk profile starts drifting again as systems, staff, and software change.
  • It’s scoped. Testers only look where you tell them to look. If a system isn’t in scope, it isn’t tested — and attackers don’t respect scope documents.
  • It finds vulnerabilities, not incidents. A pen test won’t tell you if someone is inside your network right now. For that, you need continuous monitoring, not an annual exercise.

That last point is where most businesses run into trouble: they buy the test, get a clean report, and mistake “no findings last March” for “secure today.”

Where vulnerability scanning and MDR fit in

A one-off pen test needs two things running around it to actually mean something: continuous vulnerability scanning and always-on monitoring. This is exactly how we’ve built our own Cyber Security services, and it’s worth explaining why.

Vulnerability scanning is the lighter-touch, far more frequent cousin of a pen test. Rather than simulating an attacker once a year, it automatically checks your servers, endpoints, cloud platforms and network on an ongoing basis — outdated software, misconfigurations, exposed ports, unsupported systems — and flags high-risk issues the moment they appear, not the moment a tester happens to look. Think of it as the difference between an annual MOT and a dashboard warning light: both matter, but they catch different things at different speeds.

Managed Detection & Response (MDR) closes the remaining gap. Where a pen test asks “could someone get in?” and vulnerability scanning asks “what’s exposed right now?”, MDR asks “is someone in there, and is anyone watching?” It combines endpoint monitoring, behaviour-based threat detection, and 24/7 human-backed response — so a suspicious login, a ransomware-style encryption attempt, or an unusual pattern on a Sunday night gets isolated and investigated automatically, rather than discovered three weeks later.

In our own Elevate and Infinite Assurance packages, vulnerability scanning and MDR aren’t sold as separate bolt-ons — they sit together inside what we call the Unified Security Platform, alongside dark web monitoring, password management, and security awareness training, all reported on monthly by your dedicated Customer Success Manager. That matters, because a pen test finding, a vulnerability scan result, and an MDR alert are far more useful looked at together than in three different reports from three different vendors.

None of these three replace the others. Together, they form a layered answer to a question that a single test can’t answer alone: are we actually secure, on an ordinary Tuesday, not just on the day the tester was in the building?

Why this connects back to alignment

We’ve talked before about alignment being the missing link in most IT support — the gap between what a business actually needs and what it’s actually buying. Security testing is one of the clearest places that gap shows up.

Businesses often buy a penetration test because a client, insurer, or compliance requirement asked for one — not because it was the right next step in their security maturity. That’s not wrong, exactly, but it’s incomplete. A test bought in isolation, with no plan for what happens to the findings, no vulnerability management in between, and no monitoring to catch what the test couldn’t see, is spend without strategy. It’s the security equivalent of the “cheap IT costs more” problem: the invoice looks smaller than a proper, ongoing programme, but the actual risk — and often the actual annual cost once you account for remediation, repeat testing, and the incidents that slip through — ends up higher.

This is exactly the gap our Cyber Security Consultancy is built to close — sitting alongside you before you commission any testing to work out what your risk actually looks like, what a test needs to cover to be worth paying for, and how the findings should feed into vulnerability management, Cyber Essentials (or Cyber Essentials Plus) certification, and your wider technology roadmap. Testing in isolation is a cost. Testing with a plan behind it is risk reduction.

So, do you need a penetration test?

Probably — but the better question is what it should sit inside. A useful starting checklist:

  • Compliance or contract requires it → you need at least an annual test, scoped properly to what’s actually being asked for.
  • You’ve never had continuous vulnerability scanning → start there before or alongside a pen test; it’s cheaper, more frequent, and catches the everyday drift a yearly test misses. It’s built into our Elevate and Infinite Assurance packages as standard.
  • You have no real-time monitoring → a clean pen test report can create false confidence. Our MDR service is what tells you if something’s actually happening, not just whether something theoretically could.
  • You’re working towards Cyber Essentials or Cyber Essentials Plusvulnerability scanning and configuration checks directly support certification readiness, and our Cyber Essentials Certification service can guide you through it.
  • You’re not sure what “good” looks like for your size of business → that’s an alignment conversation, not a shopping list. Our Cyber Security Consultancy exists precisely to work that out with you before you spend on testing.

The takeaway

A penetration test is a useful tool, not a security strategy. Used well — alongside continuous vulnerability scanning and genuine 24/7 monitoring through MDR — it’s one part of a programme that actually reflects your risk. Used alone, it’s a report in a drawer and a false sense of security.

If you’re not sure whether your current setup is a programme or just a report in a drawer, that’s exactly the kind of alignment conversation we have with clients every day.

Not sure where the gaps are? Get a free Cyber Security Audit below — we’ll show you any compromised credentials, exposed data, or immediate risks already sitting in your environment, and talk you through whether Essentials, Elevate, or Infinite Assurance is the right level of protection for your business.

Get a Free Cyber Security Audit