Skip content

The difference between a good penetration test and a great one

Tom Wedgbury Managing, Principal Security Consultant – LRQA

With many penetration testing providers in the market, choosing the right security partner can be overwhelming. Understanding what separates genuine value from a simple checkbox exercise is important. LRQA's Tom Wedgbury explores what makes a good penetration testing service and how to extract real value. 

 

Rethinking the role of penetration testing

There’s a widespread misconception that penetration testing is simply about finding technical weaknesses. In many organisations, it still plays out like this: a test is scoped quickly, tools are deployed, a list of vulnerabilities is reported, and the report is filed away. 

But in today’s environment – where threat actors combine cloud misconfigurations, stolen credentials, supply chain compromise and even AI deception – that approach leaves far too much to chance. 

Effective penetration testing goes beyond detecting vulnerabilities using automated tools. The real value comes from demonstrating how real threat actors could compromise your systems and whether your defences would hold up. This requires deeper analysis, deliberate scoping, and understanding the business context behind each vulnerability. 

 

False confidence is a growing risk 

Receiving a clean or low-severity penetration test report might seem reassuring. But it’s important to ask: was the scope right? Were the scenarios realistic? Did the test simulate how an adversary would actually move through your estate? 

Time and time again, we see the same vulnerabilities resurface in organisations – not because they weren’t flagged, but because they weren’t truly understood. Without meaningful prioritisation and follow-through, even the best test results can be ignored or misinterpreted. 

This is where false confidence becomes dangerous. Boards and senior stakeholders may believe systems are secure because a test was completed. But if the test didn’t consider business context, lateral movement or chained vulnerabilities, the assurance may be superficial at best. 

 

The difference is in the scoping

A test’s impact is determined long before the first scan or manual exploit begins. It starts at the scoping stage. 

It’s tempting to test everything or to focus only on external-facing assets. But both approaches can fall short. A broad scope risks spreading effort too thin, while a narrow one may overlook critical internal paths – like how a minor misconfiguration could lead to privilege escalation or sensitive data exfiltration. 

Instead, the scoping process should begin with threat modelling: What are the key assets? Who are the likely adversaries? What compliance obligations apply? What does a successful breach look like for this business? 

Answering those questions shapes a meaningful, risk-led test that prioritises what matters most – not what’s easiest to assess. 

 

Why methodology matters more than tooling

Tools are essential in security testing, but they’re not the whole story. Automated scanners help establish baselines, but they often miss deeper issues: business logic flaws, chained vulnerabilities, context-specific exposure. 

Manual testing, guided by technical experience and business context, is where real insight emerges. It’s how a penetration tester can pivot from one foothold to another, uncover lateral movement paths, and demonstrate how different elements combine to create genuine risk. 

At LRQA, every engagement follows a seven-phase methodology – from reconnaissance and mapping to exploitation, debrief and retest. This approach shows how an attack could unfold in the real world and helps you stop it. 

 

Reporting that drives action

One of the most overlooked elements of penetration testing is how findings are communicated. 

Too often, reports include long lists of issues without prioritisation or context. The result? Security teams are left guessing, engineers feel overwhelmed, and leadership can’t see the business relevance. 

Clear reporting – combining executive summaries, technical detail, risk heatmaps and remediation plans – ensures findings don’t just sit in a document. They get understood, acted upon and resolved. 

That’s why live debriefs are essential. They provide an opportunity to walk through scenarios, align priorities, and confirm that everyone understands the implications – and the next steps. 

 

Testing is not a one-off event

Penetration testing should never be a once-a-year checkbox. Effective programmes build in follow-up, validation and iteration. The goal extends beyond surfacing risk to actually reducing it. 

A key part of that is the retest window. Without retesting, it’s impossible to confirm whether vulnerabilities have been fixed or if new issues have been introduced. And without a cycle of learning and refinement, the same problems often return. 

Great penetration testing services treat each engagement as part of a longer, continuous journey – one that matures the organisation’s ability to prevent, detect and respond to real-world threats. 

 

What does “great” look like?

From our experience, truly valuable penetration testing: 

  • Begins with threat-led scoping, aligned to business priorities 
  • Uses skilled manual testing, not just automated scans 
  • Covers relevant attack paths – including identity, cloud, and supply chain 
  • Delivers clear, contextual reporting 
  • Includes debriefs, remediation support and retests 
  • Connects security findings to business impact and compliance goals 

The value doesn't come from the number of pages in the report or how many vulnerabilities were found. What matters is whether the test provided meaningful insight, helped reduce real risk, and improved your security posture over time.

 

📥 Explore the full guide

Want to go deeper? Our Essential Guide to Penetration Testing offers a detailed look at attack vectors, testing styles and how to benchmark the quality of your current provider – including a 9-point checklist.

📄 [Download the PDF guide now] 

 

Final thoughts

Penetration testing should provide clarity. It helps organisations to continuously understand where they're exposed, what's at stake, and how to build resilience. 

In a threat environment that’s only becoming more complex, the value of well-executed, context-aware penetration testing has never been higher. Learn more about our Penetration testing services below.

Penetration Testing Services

Latest news, insights and upcoming events