What is pentesting?

Organisations invest in firewalls, endpoint security and awareness training, but how can you be sure these measures will hold up against a real attack? A penetration test provides the answer. It tests your security in practice, at a time when the threat landscape is constantly changing and what was secure last year may no longer be so today.

Furthermore, a penetration test delivers more than just a list of vulnerabilities. It reveals the actual impact: can an attacker access customer data, or even take over the entire network? That context helps to set the right priorities.

Despite the diversity of organisations we test, there are striking patterns in the vulnerabilities we encounter. Below, we discuss the four most common findings from real-world experience.

This is and remains the number one issue. In virtually every penetration test, we manage to compromise accounts due to weak passwords. Think of variations on the company name, seasons followed by a year (Summer2025!) or the classic Welcome01!. These are passwords that technically comply with the password policy: they contain capital letters, numbers and sometimes a special character, but in practice they can be cracked within seconds.

What exacerbates the problem is that employees reuse passwords. A password leaked from a data breach at an external service therefore also works on the company network. For an attacker, that’s an open door.

The solution starts with a password policy that not only enforces length and complexity but also checks against lists of common and leaked passwords. Also, consider using passphrases instead of complex but short passwords: a phrase like “MyCatLovesKibble” is both stronger and easier to remember. And always combine this with the following point.

Strong passwords are important, but they are not enough. Yet we regularly see that multi-factor authentication (MFA) is missing on crucial systems: VPN access, email, administrator portals and cloud platforms.

With MFA, a single compromised password is enough to gain access. Combined with a weak password or password reuse, this quickly becomes a serious risk. An attacker who obtains a password via a phishing email or a data breach then has free rein.

The advice is clear: roll out MFA across all externally accessible services and administrator accounts. Start with the key elements (VPN, email and admin portals) and expand from there.

“Just give everyone admin rights, then at least they can get on with their work.” It sounds familiar, and it is one of the most dangerous patterns we encounter.

During a penetration test, an over-privileged account is worth its weight in gold. If a standard user account has local admin rights, we can read credentials, move laterally through the network and ultimately gain full control of the domain, often within a matter of hours.

The principle of least privilege is key here: grant users only the rights they need for their work, and no more. Carry out periodic reviews of admin rights. And separate admin accounts from everyday user accounts; an IT administrator does not need a domain admin account to read their email.

Known vulnerabilities in software for which a patch has been available for months or sometimes years: we come across this more often than you might expect. From outdated SSH versions to outdated web applications and forgotten test environments that are still accessible.

The problem often lies not in unwillingness, but in complexity. Organisations do not always have a complete overview of their IT landscape. Patch processes are delayed or there are compatibility issues, and shadow IT, systems running outside the IT department’s purview, completes the picture. 

The foundation is an up-to-date and comprehensive overview of all systems and software in the environment. From there, implement a structured patch management process with clear agreements on turnaround times for critical updates. And don’t forget test environments and legacy systems: these are often overlooked, yet they can be an excellent entry point for an attacker.

What these four findings have in common is that they are not exotic vulnerabilities. They are basic security hygiene issues that can be prevented with good policy, awareness and a structured approach. Yet we see them in virtually every organisation to a greater or lesser extent.

That is precisely why a penetration test is so valuable. It is not an exam that you must pass or fail. It is a mirror that shows where your organisation stands and where the greatest opportunities for improvement lie. The organisations that score highest are not those that never have vulnerabilities; they are the organisations that work on their security in a structured manner and use the results of previous tests to improve their security step by step.