What is penetration testing and how to scope one

A penetration test is a controlled offensive engagement in which qualified testers — typically holders of OSCP, CRTO, or PNPT — attempt to compromise systems, applications, or people using the same techniques as real adversaries. Unlike automated vulnerability scanning, a pentest validates exploitability, chains weaknesses across systems, and demonstrates business impact. The deliverable is a report with reproducible steps and prioritized remediation.

Scope is the single most important variable. A network pentest examines internal subnets, Active Directory, Wi-Fi, and exposed services. A web application pentest follows the OWASP Web Security Testing Guide v5 against your apps. A mobile pentest applies the OWASP MASVS to iOS and Android binaries. A red team engagement is broader — multi-week, goal-driven (for example, exfiltrate 500 MB from your CRM without detection), with social engineering and physical entry on the table. Pick the type that matches your real threat model.

Engagement rules must be written. The Statement of Work should fix targets by IP, domain, or app version; declare which actions are out of scope (denial of service, destructive payloads, social engineering of named individuals); set the test window in your timezone; specify a 24/7 emergency contact; and define data handling for any sensitive material the testers retrieve. CREST and the PTES (Penetration Testing Execution Standard) provide widely used templates.

For Azerbaijani companies, expect a mid-sized web app test to cost 8,000 to 25,000 USD and take two to four weeks. Buy at least one retest in the contract — fixing a SQL injection without verification is how the same finding shows up next year. Insist on the testers using current tooling: Burp Suite Pro for web, BloodHound and Certipy for AD, Nuclei for known-CVE coverage, and custom scripts where appropriate. A CV of certifications and sample sanitized reports is a fair thing to ask for before signing.