30 September 2021

Why is Penetration Testing so Important?

Security Incidents are the new normal.

Now more than ever, it is vital that vulnerability scanning and penetration testing is regular business activity in order to ensure that cyber controls are actually working.

Vulnerability Scanning

Vulnerability scanning essentially investigates all exposed assets for vulnerabilities. These assets include network infrastructure and devices such as servers, routers, switches and more. However, vulnerability scanning has its downsides – false positives. This can make it seem as though your systems and networks are not as strong as you might have thought, when in reality this is not the case.

Penetration Testing

Penetration testing is Vulnerability Scanning’s better looking, older brother. Penetration Testing goes one step further and attempts to exploit any discovered vulnerabilities – this will tease out those troublesome false positives. Penetration testing not only tells you what your vulnerabilities are, but how they can be exploited and what damage can be caused. This aids a deeper understanding of risk and exposure.

Regular Penetration Testing is necessary for the following reasons:

  1. To identify security flaws across an IT estate in order to inform appropriate mitigating controls;
  2. To validate the effectiveness and resilience of existing controls;
  3. To secure in-house developed applications that are error-prone and are most subject to and attack;
  4. Vulnerabilities can change. Updates and patches can plug old gaps, but create new holes.

If you’re not testing your assets, you can be sure that attackers are. A vulnerability that is not known to the business is an open door for an attacker, who can go undetected for months.

Outside and In

It is easy to imagine that an attacker will always be an external entity, a masked villain in a secret warehouse. However, it can also be an internal employee, whether complicit or coerced. And let’s not forget, once an attacker makes his way inside, he’ll be attacking from the inside.

It is always important to test applications and infrastructure under the assumption that credentials have already been stolen, whether it is an insider or a successful phishing attack.

How often should you perform penetration testing?

Here comes the typical answer – it depends. Typically Penetration Testing is carried out annually, however it all comes down to how often the application or infrastructure, and its controls are changing.

Interested in Penetration Testing?

As one of the leading information security consultancies in the UK, IRM has significant experience in supplying penetration testing services. Having operated a security testing team since the company was founded in 1998, our services are supported by relevant industry accreditations for security testing as members of both the NCSC CHECK scheme and CREST. IRM has 20 years of experience in delivering world class security testing services to a diverse range of clients. With this experience, IRM has remained at the forefront of the emerging and novel technologies of the industry and, as a result, we consistently adapt our testing methodologies and techniques to combat the new threats and vulnerabilities.

IRM’s Penetration Testing Portfolio

Our range of security consultancy services help determine whether your applications, networks, geographical locations, process and even people are resilient enough to withstand a cyber-attack. We apply the mentality of a hacker to your organisation across all disciplines to evidence any vulnerabilities, showing you where they exist and how you can fix them.


Penetration testing

WIRELESS TESTING Evaluates the security posture of your wireless networks (such as access points, devices and wireless clients) and their compliance with pre-defined standards.

MOBILE TESTING Mobile applications come with their own unique security challenges – testing ensures that your company’s applications remain secure and operate effectively.

CLOUD TESTING Delivers security assurance against the existing build and configuration of the service provider’s environment.

APPLICATION TESTING Using the methods of real-world attackers in a controlled manner, IRM ensures that your web applications and thick clients are safe, secure and adhere to security best practice. IRM are also able to test bespoke systems/applications.

Security assessments & reviews

CONFIGURATION REVIEWS A security on-host Configuration Review gives assurance that network devices –such as servers, workstations, firewalls, routers – are securely configured in line with best practice.

CODE REVIEWS The risk of human error in the development of application source codes can lead to security vulnerabilities and conditions, such as buffer overflows. Our Code Review service will ensure that any mistakes that have been overlooked at fixed.

NETWORK AND INFRASTRUCTURE TESTING An Infrastructure Review involves an external/internal assessment of the company’s IT estate. We simulate a malicious user or attacker exploiting vulnerabilities in order to give you a clear picture of your security posture.

BUILD REVIEWS A Build Review assesses whether your organisation is susceptible to a cyberattack based on the security vulnerabilities in your operating systems.

Scenario-based testing

MALICIOUS INSIDER SIMULATION /RED TEAMING Our Red Teaming service combines a number of test strategies and techniques in order to gain access to pre-defined information assets. These may include targeted web application attacks, war dialling and driving, social engineering and specialised malware.

DETECTION AND RESPONSE TESTING IRM can ensure that detection & response software is working properly and detecting suspicious activity. In addition, physical security including entrances, CCTV, security guards etc. can be assessed.


Designed to identify shortfalls in employee security awareness and physical security, provide actionable remediation advice to combat the threat of malicious attackers and ultimately reduce the risk of employee-related security breaches.