Contact Us

Should I Have a Penetration Test?

17 February 2023

Should I Have a Penetration Test?

Most organisations that ask “should we have a penetration test?” aren’t really thinking about exploits or technical mechanics. What they are really wrestling with is uncertainty: uncertainty about exposure, uncertainty about risk, and uncertainty about whether their security decisions are grounded in evidence or assumption.

A penetration test is often cast as a kind of security rite of passage — something you do annually, something you mention in board reports, something that looks good on a checklist. But when treated that way, it rarely delivers meaningful value.

The real question isn’t should we do a pen test because someone says so? — It’s will this activity address a real gap in our understanding or assurance of risk?

Before answering that, we have to unpack what penetration testing is really for — and where it sits relative to other kinds of assessment and confidence-building activities.

What People Really Mean by “Penetration Test”

In everyday organisational language, commissioning a penetration test usually means one of three things:

  • We want reassurance
  • We want evidence that something is secure.
  • We want to find “the holes” so we can fix them.

A penetration test is a controlled exercise where skilled testers attempt to emulate how attackers might breach systems and achieve impact — it is a simulation of adversarial behaviour, not a guarantee of absolute safety.

When framed this way, the purpose becomes clearer: a pentest is a way to translate potential weaknesses into demonstrated risk. It isn’t a meter on posture, it is a spotlight on realistic exploitation — if the problem really exists.

That differentiates it from other activities that might feel like security work but are conceptually different in intent and output.

What Penetration Testing Can Actually Do

A penetration test has a specific role and shines brightest in particular situations:

  • It reveals whether identified issues can genuinely be exploited, not just whether they exist on a list.
  • It connects isolated findings into real attack paths rather than treating vulnerabilities in isolation.
  • It forces teams to think about what an attacker could achieve, not just what controls are present.
  • It produces findings oriented toward impact and consequence, not just mechanics.

Organisations often learn more from what a penetration test shows them about their assumptions than from the specific vulnerabilities it uncovers.

In that sense, a pentest is less about “finding holes” and more about testing confidence.

Why Penetration Tests Are So Often Misused

This is critical: a penetration test becomes useless when it is treated as a checkbox.

Too often, organisations commission penetration tests with hidden expectations:

  • “If nothing critical is found, we must be secure.”
  • “We need a report for compliance.”
  • “We want a benchmark for next year.”

These are understandable motives — they come from pressure to demonstrate activity — but they skew the purpose.

A penetration test is not a locker-room badge. It does not certify “good security”. It shows what a skilled adversary could accomplish within defined scope and constraints. If scope is arbitrary or intent is ambiguous, the results are almost guaranteed to be unhelpful.

When a Penetration Test Is Worth Doing

Penetration tests are most effective when they are commissioned with clarity about what decision they are meant to inform.

Here are common scenarios where a well-scoped pen test delivers real value:

  • Exposure or Change is NewYou have new systems, applications, or services that are being exposed to external users or partners.
  • Assurance is RequiredYou need credible evidence for customers, auditors, partners, or regulators — and automated outputs alone aren’t convincing.
  • Risk Assumptions Are UnverifiedYou suspect there may be real gaps, but you don’t know how exploitable they are in practice.
  • Compliance Drives ExaminationSome compliance frameworks expect realistic testing rather than just reports of configuration or automated output.
  • You Want Actionable Insight, Not AlertsYou care about what fixing issues actually reduces risk, not just what tools list.

In these cases, a penetration test fills an important gap: it turns theory into evidence that stakeholders can understand and act upon.

Often, high-quality penetration testing highlights not only technical weaknesses, but also unexamined assumptions about systems, processes, or ownership — which are the real sources of risk many organisations miss.

When Penetration Testing Is NOT the Right First Step

This is just as important, and frequently overlooked.

There are situations where commissioning a penetration test will waste time, money, and attention — because it doesn’t actually address the core uncertainty you are grappling with.

You should avoid commissioning a pentest when:

  • You are not prepared to act on the findings.A test that produces insight without follow-through becomes reassurance theatre.
  • Foundational controls and governance are immature.If basic controls, roles, ownership, or remediation processes are weak, a penetration test will mostly confirm obvious flaws without improving understanding at the level that matters.
  • The scope is arbitrarily narrow.Testing a component in isolation while ignoring the broader context of risk often produces misleading conclusions.
  • Your goal is just “a report”.A report that sits in an archive does nothing for risk management.
  • You equate “no critical finding” with “good enough”.Pass/fail thinking is the enemy of useful security improvement.

In these situations, other forms of assessment — such as posture reviews, risk assessments, or governance evaluations — often provide better insight and prepare the organisation to get value from a subsequent penetration test.

The purpose of testing is to improve decisions, not to end them.

Penetration Testing vs Other Security Activities

It’s also worth clarifying how penetration testing relates to other common security activities:

  • Vulnerability scanning collects indicators of potential issues, but doesn’t assess whether those issues can be chained together or leveraged in context.
  • Configuration or posture reviews examine policies and setup, but do not demonstrate reachability or exploit paths.
  • Risk assessments help prioritise what matters, but do not validate exploitability.

None of these activities is inherently superior — they serve different purposes. The best security programmes blend them intelligently, using each where it contributes uniquely to understanding risk.

What Makes a Penetration Test Valuable

Sub Sub Title

A penetration test adds value when it satisfies three conditions:

  • Clear intentYou know what question you want the test to answer (e.g., “Can someone breach X under reasonable assumptions?”).
  • Defined decisionThe outcome will influence a real choice (e.g., prioritisation of work, investment decisions, remediation commitments).
  • Realistic expectationsAll stakeholders understand that the test demonstrates exposure, not perfection.

When these are in place, a penetration test brings insight that simply cannot be obtained by scanning or evidence collection alone.

The Bottom Line

Penetration testing is not a ritual. It is not a marketing asset. It is not a substitute for good governance and strong controls.

It is a targeted exercise designed to turn assumptions into evidence — and it is only as valuable as the questions you ask of it.

If you are clear about why you want to do a penetration test, what decisions will be influenced by its findings, and how you will act on those findings, then it is very likely worth doing.

If you are asking the question because it feels like something you “ought to do”, then take a step back and ask a different question: what risk decision are we trying to make today that a penetration test would clarify?

Answering that will tell you more than a penetration test ever could.

David Morgan

Founder & Consultant

Trusted Microsoft Cloud Security Advisor with 27 years experience | Empowering Businesses to Embrace Cloud Innovation with Confidence

Skills chart of the author David Morgan, high level expertise in Cyber Security, Network Security, Azure, Microsoft 365, Penetration Testing & Breach Attack Simulation
Previous PostNext Post

Related Posts

What Auditors Really Scrutinise in a Microsoft 365 Audit

18 September 2025

What Good Looks Like: Microsoft 365 Governance in Practice

6 June 2025

Is Microsoft 365 Really Enough for ISO 27001 Compliance?

12 March 2025

When You Should Pen Test to Avoid Becoming an Easy Target

3 February 2025

Pen Test vs Vuln Scan: What Actually Protects You?

20 December 2024

External Sharing in Microsoft 365: Convenience vs Risk

29 November 2024