Penetration Testing ▶ IT Security Assessment

What is a Penetration Test?

A penetration test (commonly also referred to as a “Pentest”) is an authorized, systematic security assessment of IT systems, networks, or applications, carried out using the same methods that real attackers would employ. The objective is to identify vulnerabilities and evaluate their actual risk before they can be exploited.

Vulnerabilities across IT systems can have serious consequences for many companies. If, for example, entire production plants and critical infrastructures fail as a result of a successful attack, significant economic damage can occur in a very short time. The threat scenarios and effects for a company are very individual. This also applies to security assessments of IT environments or of individual components.

With a penetration test, we offer you a targeted review of IT environments or individual components, taking into account individual threat scenarios. The objective of a penetration test – as part of our comprehensive penetration testing services – is, in particular, the assessment of existing risks with regard to specific threat scenarios. The assessment should demonstrate what an attacker can achieve in the worst case within a limited time frame through simulated real-world attacks.

Our pentests are based on sound expertise and are carried out exclusively by experts with appropriate qualifications. More than two-thirds of our team, and nearly every security consultant, holds the OSCP certification (Offensive Security Certified Professional), one of the most recognized hands-on credentials in penetration testing. This is how our pentests deliver realistic and meaningful results.

Objective

Assessment of risks with regard to specific threat scenarios through targeted attacks via identification and exploitation of vulnerabilities

Question

What can an attacker achieve in the worst case within a defined time window?

Scope

IT systems and components relevant to the threat scenario

Penetration Test Process: Methodology & Approach

As part of conducting penetration tests, targeted attack vectors are defined based on specific threat scenarios. These are then included in the penetration tests and simulated by our specialized employees.

Depending on the perspective (external, internal, privileged user), scenario and objective, network components, servers, applications or clients, among other things, are included in the attack attempts. Based on the given threat scenarios, individual IT systems are first analyzed in detail for attack surfaces. Subsequently, specific attacks are carried out on the systems via the identified problem areas in order to achieve the set goals either directly or by exploiting chained attack surfaces. In the case of more complex IT environments, the assessment is generally carried out by a team of two people.

Core Components of a SCHUTZWERK Penetration Test

A Pentest typically includes the following aspects:

Enumeration of accessible external and/or internal IT systems and services
Identification of attack surfaces based on the defined threat scenarios
Exploitation or manual verification of identified vulnerabilities via direct attacks on the systems
Iteration of previous steps when penetrating further systems or further infrastructure
Documentation including evaluation of risks and recommended countermeasures

Test and attack scenarios can be discussed with the system supervisor during the assessment and may be adjusted if required.

Black Box, Grey Box, or White Box: Comparing the Testing Approaches

Depending on the level of information our testers receive at the outset, three fundamental approaches are distinguished. Which approach is appropriate depends on the objective and the underlying threat scenario.

	Black Box	Grey Box	White Box
Tester’s level of information	None, like an external attacker	Partial, e.g. standard user privileges	Full, incl. source code and architecture
Simulated perspective	External attacker without prior knowledge	Attacker with limited access	Insider or review with full visibility
Test depth	Moderate	High	Very high
Typical use	Initial assessment, externally reachable systems	Most common choice, good balance of realism and depth	Source code audit, internal systems

In practice, the grey box approach is often the appropriate choice, as it combines a realistic attacker perspective with efficient test depth. We define the right approach together with you in the initial consultation.

Penetration Testing and Relevant Regulations & Standards

Penetration tests are a crucial component of numerous regulations and compliance requirements relevant to various industries. They not only help organizations reduce security risks but also assist in complying with legal and industry-specific requirements:

ISO 27001 - While penetration testing is not explicitly required for certification under this internationally recognized information security standard, it is recommended for meeting certain controls. In particular, pentesting supports the implementation of controls A.8.8 (Management of technical vulnerabilities) and A.8.29 (Security testing in development and acceptance), providing important evidence for your Information Security Management System (ISMS).
TISAX (Trusted Information Security Assessment Exchange) - This industry-specific requirement for the automotive sector recommends penetration testing for organizations with elevated protection needs, particularly in controls 5.2.6 and 5.3.1. Since April 2024, manual penetration testing by certified penetration testers is explicitly recommended for critical IT systems, web applications, and custom-developed software, as part of a broader cyber security strategy.
DORA (Digital Operational Resilience Act) - This EU regulation for the financial sector introduces Threat-Led Penetration Testing (TLPT) as a new standard for advanced security testing. TLPT goes beyond traditional penetration testing by simulating realistic attacks using current threat intelligence. For certain financial institutions, conducting TLPT is mandatory. TLPT involves a covert test where the defense team is unaware that a test is taking place, providing a more authentic assessment of detection and response capabilities (see also Red Teaming ). The TLPT methodology under DORA is based on the TIBER-EU framework (Threat Intelligence-based Ethical Red Teaming), with national frameworks such as TIBER-DE in Germany serving as the operational implementation, similar to how it was before DORA came into effect.
PCI DSS - The Payment Card Industry Data Security Standard requires regular penetration testing for systems that process payment card data. According to Requirement 11.4, penetration tests must be conducted annually and after significant changes to infrastructure or applications.
Critical Infrastructure / NIS2 - Both national critical infrastructure regulations and the European NIS2 Directive establish high security requirements for operators of critical infrastructure and essential service providers. Regular penetration tests are an important tool for validating the required technical protection measures and identifying potential vulnerabilities.
BSI IT-Grundschutz - The IT-Grundschutz, developed by the German Federal Office for Information Security (BSI), recommends security testing in several components as part of a comprehensive security concept. The component NET.3.2 (Firewall) requires regular penetration tests in its standard requirements (NET.3.2.A24). In the component SYS.2.5 (Client Virtualization), requirement SYS.2.5.A17 “Extended Monitoring of Virtual Clients (H)” for elevated protection needs specifies that virtual clients “SHOULD be automatically and regularly checked for vulnerabilities”. The component OPS.1.1.6 (Software Tests and Approvals) explicitly requires a concept for penetration tests with documented test methods and success criteria (OPS.1.1.6.A14). The BSI also provides a study “Implementation Concept for Penetration Tests” as a guidance document.

Our penetration tests are conducted according to recognized testing standards and in accordance with industry-specific requirements. By working with our experts, you ensure that your penetration tests not only improve your security posture but also meet the compliance requirements relevant to your organization.

Penetration Test Results: Risk Assessment & Countermeasures

As a result of the assessment we will provide a detailed report. Depending on the type and scope of the project, the final report will include the following parts:

Management summary with a description of the results and the security level
Description of the project approach, scope, schedule and methodology
Detailed description of identified vulnerabilities in order to understand underlying issues and to enable reconstruction of possible attacks (where necessary with proof-of-concept implementation)
Detailed description of the iterative exploitation process when using chained vulnerabilities
Risk assessment of identified vulnerabilities taking into account the IT environment or the application context (risk classification: low, medium, high, critical)
Description of measures to remedy the vulnerabilities
If necessary, a description of higher-level strategy, concept and process-related measures or optimization suggestions.

Comparing Penetration Testing vs. Red Teaming

In a penetration test , targeted attacks are carried out in a limited time frame and on a limited scope (e.g. for a specific IP address range or for a specific threat scenario). In contrast to that, a Red Team Assessment usually takes place over a longer period of time and aims to test your defense mechanisms. In a penetration test, it is usually not important that attacks remain undetected, as these security testing activities are carried out as transparently as possible for all parties involved, often by ethical hackers working closely with your security teams. The focus is on performing the extensive penetration testing services as efficiently as possible, simulating real-world attacks.

The focus of red teaming , on the other hand, is on the implementation of the most realistic attack scenarios possible, which are particularly geared towards infrastructures with a high degree of IT security maturity. The aim of these projects is to improve the detection and reaction capabilities for such attack scenarios and to uncover potential security weaknesses.

Penetration Testing Services or Vulnerability Analysis?

In contrast to the targeted approach of a penetration test , the focus of the vulnerability analysis is on the broadest and most comprehensive examination possible. The vulnerability analysis is based on the results of automated scans which are then subjected to manual risk analyses and assessments.

The exploitation of multiple subsequent vulnerabilities (post exploitation) as it is used in a penetration test in order to penetrate as far as possible into an infrastructure or an IT system, however, is not part of the vulnerability analysis.

Specialized Penetration Testing for Different IT Domains

Depending on the object of the analysis, we offer special types of penetration tests:

Frequently Asked Questions about Penetration Testing

How long does a penetration test take?

The duration depends on the scope and complexity of the target. A typical web application pentest runs 3–5 working days; an infrastructure pentest 5–10 working days. More complex assessments (such as embedded systems with hardware analysis, or red teaming over several weeks) are scoped individually in the initial consultation. SCHUTZWERK confirms timeline and effort in writing before testing begins.

What is the difference between a manual and an automated penetration test?

An automated vulnerability scan checks systems with tools (e.g. Nmap, Nessus, Burp Suite) against databases of known CVEs and produces a list of technical findings. A manual penetration test goes further: experienced security experts chain vulnerabilities, examine business logic, and assess which findings actually represent a business-critical risk, i.e. which data, processes, or assets an attacker could compromise. SCHUTZWERK pentests combine both approaches, with manual verification, proof-of-exploit, and risk assessment at the centre.

How often should a penetration test be conducted?

Established security standards recommend annual penetration tests plus additional tests after significant system changes. Specifically: PCI DSS requires annual pentests and after major infrastructure changes; NIS-2 and DORA require regular effectiveness reviews of technical safeguards; ISO/IEC 27001 lists penetration testing as evidence for Control A.8.8. In rapidly changing environments, for example with continuous software releases, an accompanying continuous testing approach (Continuous Penetration Testing) is also available, examining individual changes shortly after deployment.

How much does a penetration test cost?

The cost of a penetration test depends on the scope of the target, the chosen test depth (black, grey, or white box), and the complexity of the systems under examination. The decisive factor is the actual effort in person-days, not a flat rate. You receive a binding, individual quote after the free initial consultation, in which we define the test scope together.

What preparation is required for a penetration test?

The prerequisites are a written engagement (legal authorisation), definition of the test scope, identification of relevant threat scenarios, and emergency contacts for critical findings. For Grey- or White-Box tests, SCHUTZWERK pentesters require access to test systems, source code, or architecture documentation. The organisational steps are agreed in the free initial consultation.

What happens if a critical vulnerability is found during the penetration test?

Critical findings (for example direct database access, complete system takeover, or access to production data) are reported immediately to the agreed emergency contacts. Communication does not wait for the final report. SCHUTZWERK documents the vulnerability reproducibly and supports immediate remediation. The regular test continues or pauses depending on severity.

When is a penetration test useful?

Typical triggers for a penetration test are: scheduled annual review, go-live or major changes of web applications, APIs, cloud environments, or networks, preparation for certification or compliance audits (ISO 27001, TISAX, NIS-2, DORA), market launch of security-critical products with digital elements, and verification after a security incident. Pentests also provide reliable security-posture data during M&A or outsourcing decisions.

Do you receive a certificate after a penetration test?

A penetration test is not a certification procedure. The result documents the vulnerabilities found, along with a risk assessment and recommended countermeasures, and confirms that, at a given point in time and within the defined scope, no further exploitable vulnerabilities were identified. A formal certification (such as ISO/IEC 27001) requires a separate process. A penetration test can support this as evidence for individual controls.

SCHUTZWERK - Your Certified Penetration Testing Provider

As an experienced cybersecurity service provider and penetration tester, SCHUTZWERK offers professional penetration tests to specifically support companies in increasing their information security and cybersecurity.

Penetration tests are a central component of any sustainable IT security strategy. We combine automated procedures with manual analyses to precisely identify security vulnerabilities.

As an official CVE Numbering Authority (CNA) , SCHUTZWERK identifies and publishes its own vulnerabilities in products from various vendors. This research work feeds directly into our penetration tests and ensures that we know current attack techniques first-hand.

Conducting a penetration test allows you to check both web applications and complex IT infrastructures for vulnerabilities - before hackers can use them for attacks or cyber attacks. A thorough test is essential, especially for web-based applications: security vulnerabilities that could be specifically exploited by hackers are systematically uncovered - and can then be specifically remediated.

If desired, we can perform a re-test after the penetration testing to ensure that all identified problem areas and security gaps have been successfully resolved. This way, you strengthen your IT security permanently – with the highest standards, practical expertise, and clear orientation to your individual threat situation, supported by vulnerability assessments, vulnerability scanners, insights from real-life cyber threats, and the experience of certified security experts.

Penetration Test