Menu Icon
https://www.sikich.com

Why penetration testing is one of the most underrated compliance exercises

INSIGHT 5 min read

WRITTEN BY

Sikich
Risk

Penetration (pen) testing, a foundational cybersecurity control, is often viewed as little more than a compliance checkbox. Many organizations only receive commoditized, shallow pen tests that don’t unlock the exercise’s full value. This value can be enhanced many-fold by adopting pen testing best practices such as: 

  • Integrating human expertise
  • Using comprehensive methodology
  • Ensuring high-quality reporting
  • Avoiding commoditization
  • Retesting

We’ll walk through each of these best practices to clarify what separates a truly effective pen test from the commoditized versions that are all too commonplace in today’s market.

Human expertise differentiates

Automation is valuable in modern security testing, particularly for identifying vulnerabilities at scale, but can’t fully replace human expertise in identifying how real attackers exploit systems. Bad actors adapt, chain weaknesses together, and leverage weaknesses across systems, users, and processes into attack paths. Human-led testing brings judgment, creativity, and experience into the process, attributes that remain difficult to replicate through automation alone. Organizations should appoint a qualified professional to lead an engagement, using automation to enhance but not substitute human analysis.

Multifaceted methodology beats one-size-fits-all

Strong pen testing methodology combines multiple, agile techniques to provide a realistic view of risk. Combining manual testing, vulnerability scanning, and validation of exploitability offers a more realistic view of risk and how individual weaknesses may actually be connected. Relying on just one method may either miss meaningful exposures or overwhelm teams with excessive low-value findings.

Also, it’s critical to avoid one-size-fits-all testing because it tends to produce one-size-fits-none results. Methodologies must be adaptable to the organization’s environment, business objectives, and threat landscape.

Reporting quality is as important as testing quality

The value of a pen test heavily depends on the quality, clarity, and usefulness of the ensuing report. The report must clearly explain how vulnerabilities could be exploited, why they matter, and how to remediate them. Poor reporting limits the test’s impact. An overly technical or auto-generated report often creates confusion, leads to slow remediation, and increases the likelihood that critical issues are misunderstood or ignored. Well-written reports translate technical findings into business risk education, helping security teams, leadership, and auditors align on priorities and next steps.

Avoid the “race to the bottom”

As pen testing has become more commoditized, pricing pressure has increased across the market, making low-cost testing seem appealing. However, short engagement timelines and attractively low project costs often rely on automation and minimal human involvement, resulting in shallow testing and limited insight. In many cases, organizations later incur additional costs investigating false positives, retesting unresolved issues, or addressing gaps discovered later – far exceeding the initial savings.

Questions to ask:

  • What automated tools do you use?
  • What certifications does your team carry?
  • How involved is the team in manual efforts?
  • Do you review the report after testing?

Watch-outs:

  • Review tools for mentions of “proprietary” methods or claims that they perform major portions of testing. This may indicate very little manual oversight.
  • Avoid teams with only knowledge-based certifications such as CompTIA Pentest+ or EC-Council Certified Ethical Hacker (CEH). While these certifications demonstrate valuable knowledge, they don’t assess experience. Instead, look for teams with hands-on certifications such as TCM Security’s Practical Network Penetration Tester (PNPT), Offensive Security’s Offensive Security Certified Professional (OSCP), or Zero Point Security’s Red Team Operator (CRTO). There are many other strong certifications, and not all are hands-on, which is acceptable. But be cautious of teams with only knowledge-based certifications.
  • Watch for vague statements like “we validate the scans manually” or “we have complete oversight,” as these types of answers indicate the team relies too heavily on automation rather than experience.
  • Less of a watch-out and more so general advice: Meet with the team after an assessment to review the findings. Make sure your team understands the report and next steps.

Retesting and validation close the loop

Pen testing should not end with the report’s delivery. Retesting is a critical step to validate whether remediation efforts were effective, and confirms that identified risks have been meaningfully reduced. This step is especially important for organizations seeking assurance that security improvements are working as intended. We recommend including retesting in each engagement’s scope.

Penetration testing as a risk management tool

When approached thoughtfully, pen testing’s impact expands from just a compliance requirement to a critical risk management tool. A test that includes the above direction helps organizations understand how their controls perform under realistic conditions, prioritize security investments, and demonstrate security maturity to stakeholders. 

When done poorly, however, organizations usually pay twice: first for a cheap test and later via fines or other consequences of a breach. Set yourself apart and get a good pen test that’s done right the first time. Sikich provides clear, actionable results that focus on exploitable vulnerabilities rather than a sea of overwhelming information.

Want to learn more from us about pen testing? Register here for our webinar on Wednesday, March 31 from 11a.m. – 12p.m. CDT.

About our authors

Aaron Sullivan, Managing Consultant of Sikich’s penetration testing team, is experienced in designing, implementing and troubleshooting network and security infrastructure. He evaluates system vulnerabilities and helps organizations strengthen security, while aligning business processes with network design and infrastructure.

Elizabeth Carter Ward is the Managing Director of Sikich’s cybersecurity practice, with over 20 years of experience in cybersecurity, crisis management, business continuity/resilience, security technology, and enterprise/financial risk management. She has held senior roles in both the public and private sectors. She leads vulnerability assessments, program development, executive exercises, and trainings, helping organizations from start-ups to government entities strengthen their security posture and response capabilities.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

CONTACT
Author

Sikich offers the public and private sectors a diverse platform of professional services across consulting, technology and compliance. Highly specialized and hands-on teams deliver integrated solutions rooted in deep industry experience. Our approach is strategically and thoughtfully designed to help our clients, teams and communities accelerate success.

Sikich has approximately 2,000 team members and operates across North America, EMEA and APAC.

Sikich

WHAT'S NEW Related Insights