100 Frequently Asked Questions About Penetration Testing | FAQ Guide
General Questions
1. What is a penetration test?
A penetration test consists of controlled attacks performed by ethical hackers to identify the security weaknesses of a system, application or network. Through this test, organisations can measure how resilient they are against cyberattacks. Details: https://www.nesilteknoloji.com/penetrasyon-testi-nedir/
2. Are pentest and penetration test the same thing?
Yes, "penetration test" and "pentest" are used interchangeably. Both terms refer to controlled cyberattacks performed to test information security. Details: https://www.nesilteknoloji.com/pentest-ve-sizma-testi-ayni-midir/
3. Why is a penetration test performed?
A penetration test is performed to detect security weaknesses in systems in advance and to take measures against data leaks, service outages and other attacks. It also ensures organisations' compliance with legal and industry standards. Details: https://www.nesilteknoloji.com/pentestin-onemi/
4. Who should have a penetration test?
All organisations working with data — public institutions, financial institutions, healthcare organisations, e-commerce sites, payment systems — should have penetration tests. In short, any organisation with a digital presence can benefit from this test. Details: https://www.nesilteknoloji.com/pentesti-kimler-yaptirmali/
5. How often should a penetration test be performed?
It is generally recommended at least once a year. However, if a major change has been made to the system infrastructure or a new application has gone live, the test should be repeated. Details: https://www.nesilteknoloji.com/pentest-ne-siklikla-yapilir/
Technical Questions
6. Is penetration testing legal?
Yes, penetration tests are entirely legal when performed on a legal basis, with the organisation's express permission and under a contract. Tests performed without permission can lead to legal problems. Details: https://www.nesilteknoloji.com/penetrasyon-testi-ve-hukuk/
7. Is penetration testing compliant with the KVKK?
Penetration tests are considered KVKK-compliant when performed for the purpose of protecting personal data. However, the way data is processed and stored during the test must be carried out in compliance with the KVKK. Details: https://www.nesilteknoloji.com/penetrasyon-testi-kvkk/
8. What is the difference between a penetration test and a vulnerability scan?
A vulnerability scan is generally a surface-level analysis performed with automated tools. A penetration test is a deeper test performed with manual methods and attack scenarios. Details: https://www.nesilteknoloji.com/penetrasyon-ve-zaafiyet/
9. For which industries is a pentest mandatory?
In sectors such as finance, healthcare, energy, public administration and telecommunications, penetration tests are mandatory under regulations. Tests are also required for organisations complying with standards such as ISO 27001 and PCI-DSS. Details: https://www.nesilteknoloji.com/hangi-sektorler-icin-sizma-testi-pentest-zorunludur/
10. How do you choose a penetration testing company?
The assessment should be based on references, levels of expertise, the methodology used (such as OWASP, NIST, OSSTMM) and reporting quality. The competency certificates of the testing team (such as OSCP, CEH) are also important. Details: https://www.nesilteknoloji.com/penetrasyon-testi-firma-secimi/
Legal and Compliance Questions
21. Is a penetration test mandatory under the KVKK?
The KVKK does not directly mandate penetration testing; however, due to the obligation to ensure the security of personal data, this test becomes indirectly necessary. Penetration testing is an important step among the technical measures to be taken to protect data. Details: https://www.nesilteknoloji.com/kvkk-penetrasyon-testi-zorunlu-mu/
22. Is a pentest required for ISO 27001?
The ISO 27001 standard does not directly mandate penetration testing; however, it is recommended for managing information security risks and testing the effectiveness of security measures. It is regarded as good practice by many auditors. Details: https://www.nesilteknoloji.com/iso-27001-icin-penetrasyon-testi/
23. Is a pentest required for PCI-DSS?
Yes. For PCI-DSS (Payment Card Industry Data Security Standard) compliance, regular internal and external network penetration tests are mandatory. This is necessary to protect cardholder data. Details: https://www.nesilteknoloji.com/pci-dss-icin-pentest/
24. Should a pentest be performed under the Cybersecurity Law?
Under Cybersecurity Law No. 7574, cybersecurity measures must be taken in critical infrastructure and public institutions. A penetration test is one of the methods measuring the effectiveness of these measures and is indirectly required. Details: https://www.nesilteknoloji.com/siber-guvenlik-kanunu-icin-pentest-zorunlulugu/
25. Is a contract required for a penetration test?
Yes. A written contract is required so that the test rests on a legal basis and mutual responsibilities are defined. The contract covers the test scope, timing, confidentiality and responsibilities. Details: https://www.nesilteknoloji.com/penetrasyon-testi-icin-sozlesme-gerekir-mi/
26. Who is responsible if a data leak occurs during the test?
Professional firms take precautions for such situations and usually secure the process with non-disclosure agreements (NDAs). Nevertheless, responsibilities for any damage that may arise should be clearly stated in the contract. Details: https://www.nesilteknoloji.com/pentest-sirasinda-veri-sizintisi-sorumlulugu/
27. Must permission be obtained before a pentest?
Yes. Tests performed without permission can lead to legal problems. No test should be started without written approval from the owner of the target system. Details: https://www.nesilteknoloji.com/pentest-oncesi-izin-alinmali-mi/
28. Is personal data examined during the test?
Access to personal data may be possible within the scope of the test. For KVKK compliance, anonymisation or masking of data during the test process is therefore recommended. Details: https://www.nesilteknoloji.com/pentest-sirasinda-veriler-incelenir-mi/
29. Does having a pentest damage log records?
Properly performed tests do not damage log records. On the contrary, the adequacy of logging systems is also tested. However, on low-resource systems the log space may fill up; care should therefore be taken. Details: https://www.nesilteknoloji.com/sizma-testleri-log-kaydini-etkiler-mi/
30. Should employees be informed during the test process?
It varies by test type, but in most cases IT teams need to be aware. In tests such as social engineering, confidentiality may be preferred. Corporate policies are decisive. Details: https://www.nesilteknoloji.com/test-surecinde-calisanlar-bilgilendirilmeli-mi/
Service Process Questions
31. How long does a pentest service take?
The test duration varies according to the size and scope of the system. A small web application test may take 1-2 days, while for a large network infrastructure it may take several weeks. Details: https://www.nesilteknoloji.com/pentest-hizmetini-suresi-nedir/
32. Does the system keep running during the test?
Yes, most penetration tests aim to avoid service interruption while running on live systems. In certain special cases, however, the test schedule can be adjusted according to system load. Details: https://www.nesilteknoloji.com/pentest-surecinde-sistem-calismaya-devam-eder-mi/
33. How are penetration test prices determined?
Pricing is determined by the scope of the test, the number of targets, system complexity, test type (web, network, mobile, etc.), duration and reporting detail. Special requests can also affect the cost. Details: https://www.nesilteknoloji.com/pentest-fiyatlari-neye-gore-belirlenir/
34. What information is requested for a price quote?
A list of the systems to be tested, IP addresses, domain names, application types, number of targets, access details, the requested test type and any special requests are required to prepare a quote. Details: https://www.nesilteknoloji.com/pentest-fiyat-teklifinde-hangi-bilgiler-istenir/
35. How is communication with the customer maintained during the test?
Throughout the test process, communication with the customer is usually maintained via e-mail, telephone or project management systems. Instant notification is provided in critical situations. Details: https://www.nesilteknoloji.com/pentest-surecinde-musteri-iletisimi/
36. Which documents are delivered?
At the end of the test, a detailed technical report, an executive summary and, where applicable, documents containing additional security recommendations are delivered. Some firms also explain the report through a presentation or meeting. Details: https://www.nesilteknoloji.com/pentest-sonunda-hangi-dokumanlar-teslim-edilir/
37. What is the report delivery time?
After the test is completed, the report is usually prepared and delivered within 3 to 7 business days. This period may vary for urgent situations or on request. Details: https://www.nesilteknoloji.com/pentest-rapor-teslim-suresi-nedir/
38. Is fixing the findings included in the service?
Remediation of findings is usually subject to a separate consulting process. However, some firms may provide guidance on minor configuration fixes.
39. Is a re-test performed?
Yes, a "re-test" can be performed after critical vulnerabilities have been closed. This test is important to verify the effectiveness of the fixes and is usually priced separately.
40. Can a pentest be performed remotely?
Yes, many types of penetration tests can be performed remotely via secure connections. This method became widespread especially after the pandemic and has become highly efficient.
About Test Types
41. What is an internal network test?
An internal network test aims to test the access of an attacker from within the organisation (for example, a malicious employee) to systems. Services, shares and credentials accessible over the local network are analysed.
42. What is an external network test?
An external network test measures the resilience of systems against threats coming from the internet. Servers, web applications and externally exposed IP addresses are usually targeted.
43. What does a web application test cover?
A web application test covers the security review of all functions accessible through the user interface. Authentication, authorisation and data processing security are tested, with OWASP Top 10 vulnerabilities at the forefront.
44. How is a mobile application test performed?
A mobile application test analyses the application's security controls, encryption mechanisms, data storage methods and API communication. Both the device side (client) and the server side are examined.
45. What is a wireless network test?
A wireless network test involves assessing Wi-Fi networks against threats such as encryption weaknesses, unauthorised access risk and rogue access points. Access to the physical location may be required.
46. What is a social engineering test?
A social engineering test is performed with scenarios such as phishing, fake calls or physical entry attempts to measure employees' awareness. The human factor is tested.
47. Are DDoS tests performed?
DDoS tests can be performed but require careful planning and infrastructure preparation. As these tests can cause service interruption, they are usually performed in isolated environments.
48. What is a physical security test?
A physical security test involves testing security weaknesses with scenarios of unauthorised physical access to the organisation. Security cameras, card readers and security personnel are included.
49. Can a pentest be performed on SCADA systems?
Yes, but as SCADA systems are very sensitive, special care and experience are required. These tests should generally be performed in test environments rather than on live systems.
50. Are API tests performed?
Yes. APIs such as REST and SOAP are an important part of penetration tests. Authentication, data validation and abuse scenarios are tested.
Results and Reporting
51. What does a pentest report contain?
The report contains the details of the identified vulnerabilities, impact analyses, risk levels, remediation recommendations and technical findings. It may also include a summary section specifically for executives.
52. Are reports written technically or for executives?
Both are provided. Detailed explanations are included for technical teams, while a simplified summary with strategic recommendations is presented for executives.
53. According to which standards is reporting done?
Reporting is usually prepared according to the OWASP, NIST, OSSTMM and CVSS standards. It can also be presented in custom formats at the organisation's request.
54. Can reports be given to third parties?
Reports may contain confidential information and should only be shared with the relevant parties. However, where sharing with insurance companies, auditors or business partners is required, written permission should be obtained.
55. What is a CVSS score?
CVSS (Common Vulnerability Scoring System) is a standard that determines a risk score between 0 and 10 by evaluating a vulnerability's technical complexity, impact and accessibility.
56. What is a critical vulnerability?
A critical vulnerability is a flaw that could lead to complete system takeover or direct access to sensitive data. It requires rapid intervention.
57. What is a medium-level vulnerability?
Medium-level vulnerabilities do not provide direct system penetration but are flaws that can be used across multiple stages. Their remediation priority is medium.
58. What is an informational vulnerability?
Such vulnerabilities usually carry low risk. They include information leaks — such as system information and error messages — that could benefit attackers.
59. Is the report confidential?
Yes. Pentest reports are internal corporate information, and confidentiality agreements should be considered before sharing them with third parties.
60. How long should the report be retained?
Retention for at least 1 year is generally recommended. However, this period may vary according to the organisation's internal security policies and regulations.
For Those Curious About Technical Details
61. What is SQL Injection?
SQL Injection is a security vulnerability that allows malicious users to send harmful SQL queries to the database through the application. It can lead to serious consequences such as data exfiltration and data deletion.
62. What is XSS (Cross Site Scripting)?
XSS is a security vulnerability that allows attackers to run malicious JavaScript code in users' browsers. It can lead to data theft through methods such as session hijacking and fake forms.
63. What is CSRF (Cross Site Request Forgery)?
CSRF is an attack type that causes a harmful action to be performed on behalf of a user, without their intent, while their session is active. Operations requiring authentication are usually targeted.
64. What is IDOR?
IDOR (Insecure Direct Object Reference) is a security vulnerability that allows users to directly access data or resources they should not be able to reach. It is usually exploited through URL or parameter manipulation.
65. What is SSRF?
SSRF (Server-Side Request Forgery) is a flaw that allows an attacker to make the server send requests to other systems on the external or internal network. It can lead to the exposure of internal systems.
66. What is RCE?
RCE (Remote Code Execution) is a serious vulnerability that allows an attacker to execute commands remotely on the target system. The system can be completely taken over.
67. What is the difference between LFI and RFI?
LFI (Local File Inclusion) enables local files to be included in the system, while RFI (Remote File Inclusion) enables remote files to be executed. Both can lead to system compromise when abused.
68. How is a vulnerability exploited?
After a vulnerability is discovered, undesired operations are performed on the system using a suitable exploit. A PoC (Proof of Concept) or ready-made tools may be used in this process.
69. What does exploit mean?
An exploit is special code or a tool written to abuse a vulnerability. The aim is to gain control over the system or capture data.
70. What is a reverse shell?
A reverse shell is a shell obtained when the target system initiates a connection towards the attacker. It is used to bypass firewalls and execute commands remotely.
About the Pentester Profile
71. Who is a pentester?
A pentester is an expert who performs penetration tests to assess the security of information systems. They approach systems from an ethical hacker's perspective and identify security weaknesses.
72. Is a certified pentester mandatory?
Although not legally mandatory, choosing a certified pentester is important for quality and trust. Certificates document the person's knowledge and competence.
73. Which certificates are considered valid? (OSCP, CEH, etc.)
The most widely recognised certificates include OSCP, CEH, GPEN, eJPT and PNPT. These certificates require technical knowledge and practical application skills.
74. How much does a penetration testing expert earn?
It varies according to the expert's experience, employer and location, but in Türkiye average salaries can range between 25,000 and 60,000 TL. Much higher earnings are possible abroad.
75. What tools does a pentester use?
Pentesters typically use tools such as Nmap, Burp Suite, Metasploit, Wireshark, Nikto, SQLmap, Hydra and John the Ripper. They can also develop their own scripts.
76. How experienced should a pentester be?
A good pentester needs both theoretical knowledge and practical experience. Generally, 2-3 years of active experience is sufficient for medium-level tests.
77. How many people work during the test process?
It depends on the size of the project. For small projects 1-2 people are sufficient, while for large-scale enterprise tests the team can grow to 5-10 people.
78. Does the pentester take control of the system?
It depends on the test type, but particularly in grey-box and white-box tests, system takeover scenarios may be applied. This is done with prior permission.
79. What happens if a pentester behaves unethically?
Unethical behaviour can lead to legal sanctions and contract terminations. It is therefore critical to sign a non-disclosure agreement (NDA) with pentesters.
80. Is the number of female pentesters increasing?
Yes, the number of female experts in the cybersecurity sector is increasing every year. Female pentesters add value to the industry with their technical competence.
End-User Questions
81. What benefit does a pentest result provide me?
It enables you to reduce cyberattack risks by detecting security weaknesses in your systems in advance. It also helps you fulfil legal obligations and increase customer trust.
82. Does the test result prevent data leaks?
Yes, remediating the vulnerabilities identified during the test significantly reduces the risk of data leakage. However, continuous monitoring and updates are also required for absolute security.
83. Can I be hacked again after a pentest?
Yes. No system is 100% secure. A pentest provides a snapshot of security at a point in time. Regular testing and maintenance are therefore necessary.
84. Do I still need a pentest if I use antivirus?
Antivirus software only protects against known malware. A pentest identifies configuration errors and application flaws in the system. They are complementary measures.
85. Isn't my firewall enough?
A firewall is the first line of defence against external attacks. However, it can be insufficient at blocking application-layer vulnerabilities. A pentest is therefore recommended.
86. I have a SIEM system; do I still need a pentest?
SIEM systems collect and analyse events. However, active testing methods such as pentests are required to identify existing vulnerabilities. SIEM and pentests complement each other.
87. Why should I have a pentest when I have a SOC team?
SOC teams monitor real-time threats, while a pentest identifies potential weaknesses. SOC and pentests are mutually supporting security layers.
88. Can my own IT team perform the test?
They can, but an external specialist firm should be preferred to obtain an independent perspective and ensure impartiality. Some regulations also mandate external testing.
89. Can penetration tests be performed for training purposes?
Yes. Pentest exercises can be performed for training purposes in simulation environments or on CTF (Capture The Flag) platforms. This method is highly effective for learning.
90. Are tests performed for individual users?
At the individual level, the scope is usually limited. However, special tests can be performed for personal websites, small applications or security awareness.
Corporate Decisions and Strategies
91. What kind of roadmap should I create after a pentest?
First, critical vulnerabilities must be closed quickly. Then a remediation plan should be prepared based on medium- and low-risk findings, and testing should be repeated regularly.
92. How quickly should I close vulnerabilities?
Critical vulnerabilities should be closed within 24-72 hours where possible; other vulnerabilities should be prioritised by risk level. These timeframes can vary according to regulations and internal policy frameworks.
93. Should I get consultancy during the remediation process?
If internal resources are insufficient or there are matters outside your expertise, consultancy should definitely be obtained. The right remediation steps eliminate major risks in the long term.
94. How should I share the report with my IT team?
The technical report can be passed directly to the IT team, while the overall risk level should also be conveyed to senior management via the executive summary. The related actions should be planned together.
95. What is the executive summary for?
The executive summary presents risks and recommendations in an understandable way without going into technical detail. It raises senior management's awareness and contributes to decision-making processes.
96. Should an audit be performed after the pentest?
Yes. The correctness of the applied fixes and the system's current security level should be audited. A re-test should be performed if necessary.
97. What should I do if vulnerabilities leak to the press?
A crisis management plan should be activated quickly with the corporate communications unit, the public should be informed transparently and legal steps should be taken.
98. Do insurance companies request pentest reports?
Companies providing cyber risk insurance may request a penetration test report for risk assessment. This can affect policy terms.
99. Do investors want to see this report?
Especially in technology- and finance-focused ventures, investors may want to see the state of information security. A professionally prepared pentest report provides credibility.
100. What alternatives are there to a penetration test?
Alternatives include vulnerability scans, source code analysis and configuration audits. However, a penetration test is a security assessment that complements these methods.