Skip to content

5 Common Pentesting Pitfalls to Avoid

Posted by: Victor Wieczorek

3 min read

Published 9/14/21, 10:00am

Effective penetration testing requires the use of appropriate planning, scoping, and methodologies, as well as a commitment to understand the outcomes and apply relevant mitigations to the security operations process. For organizations to achieve their security objectives during a penetration test and maximize their return on investment (ROI), penetration testing needs to be focused, purposeful, and designed to avoid the most common pitfalls and missteps that often plague successful penetration testing outcomes.

Pitfall #1: Don’t Panic!

Penetration testing can sometimes confuse businesses, particularly around what it means and what it will involve. Frantic questions and comments may drive the initial conversation, such as “How much of this do I have to do myself?” or “I don’t know what a red team is!” or “We’re on a super tight timeline to get this done.” For a business in need of a penetration test, the best thing to do is take a deep breath and proceed the right way: understand why penetration testing is important and take some time upfront to define the scope and rules of engagement. 

Pitfall #2: Failing to understand your purpose

The reasons why organizations engage in penetration testing vary. Some organizations use penetration testing to meet compliance requirements. Others want to ensure the safety and confidentiality of sensitive data, as well as customer goodwill. Some businesses view penetration testing as an opportunity to prove to their executives that their systems are not as secure as the company thinks they are. Other companies may have just implemented some new security technology or software that they want to ensure is working. All of these are entirely valid reasons for why companies initiate the penetration testing process. But penetration testing needs to be driven by more than just generalities, and a successful penetration testing effort requires forethought and planning.

Pitfall #3: Inadequate objective definition and understanding

Penetration testing objectives can vary, depending on the overall purpose and goals (which is why avoiding Pitfall #2 is so important!). Common pentesting objectives include:

  • Conduct an inventory of the attack surface
  • Identify security gaps
  • Test effectiveness of security
  • Demonstrate real-world impacts
  • Drive awareness and prioritization
  • Ensure regulatory compliance (e.g., NIST, HIPAA, PCI, FFIEC, NYDFS (23 NYCRR 500) and FINRA)

When defining objectives, it is critical to understand and detail overly general hypotheticals like these when defining penetration testing objectives.

  • “I want to see if we’re actually vulnerable.”
  • “I think we’re vulnerable, but no one cares.”
  • “I think our defenses are working but want to be more certain.”
  • “I need help justifying this ‘policy,’ ‘procedure,’ ‘tool,’ or ‘service.’

Pitfall #4: Insufficient understanding of influences and dependencies

Once you’ve detailed any hypotheticals, recognizing and managing the influences and dependencies will help you better understand objectives and goals. For example: 

  • Informing and engaging with all corporate stakeholders to determine requirements, as well as address any concerns.
  • Identifying the party that is requesting a penetration test, such as an executive or compliance auditor.
  • Clarifying the process to enable a complete understanding of the penetration test results.
  • Determining which individuals or teams will receive the penetration test output (e.g., technical materials, non-technical content, attestations, etc.)
  • Understanding who is to receive the penetration testing “assurances.”

Pitfall #5: Lack of Communication 

During penetration testing, it is important to be conscious of who you’re communicating with during the penetration testing process and provide the various individuals involved in the testing with the type of information that will be useful to them. For example, technical staff will likely want to know the details of the tests so they can address future potential problems, while executives may not be interested in the minutiae but instead will want straightforward and basic narratives that they can share with the board in order to drive programs and funding.

The ultimate goal of this process is to provide the business with a model to prioritize activities within the penetration testing process by first obtaining meaningful information on any concerns or issues, such as business environment or operational impact and risk levels.

More on Pentesting

Watch for more blogs to come on penetration testing best practices.

Categories: Blog Cybersecurity

Victor Wieczorek

VP, AppSec and Threat & Attack Simulation,
GuidePoint Security

Victor Wieczorek drives offensive security innovation at GuidePoint Security, leading three professional services practices alongside the operational teams behind that work. This creates a feedback loop that makes delivery better for everyone. His practices (Application Security, Threat & Attack Simulation, and Operational Technology) cover the full offensive spectrum: secure code review, threat modeling, and DevSecOps programs; red and purple team assessments, penetration testing, breach simulation, and social engineering; OT risk assessments, framework alignment, and critical infrastructure security.

Before GuidePoint, Wieczorek designed secure architectures for federal agencies at MITRE and led security assessments at Protiviti. He holds OSCE and OSCP, and built depth in governance and compliance (previously held CISSP, CISA, PCI QSA) to bridge offensive work with risk communication. His teams operate with a clear philosophy: enable clients to be self-sufficient. That means detailed reproduction steps with real commands, no proprietary tooling that obscures findings, and deliverables designed so organizations can act without dependency. Under his leadership, GuidePoint achieved CREST accreditation and he was named to CRN's 2023 Next-Gen Solution Provider Leaders list.

His current focus reflects where the industry is heading. As AI agents move into production, both as threats and as security tools, Wieczorek has been thinking through what governance looks like for autonomous systems. His view: the more capable the technology, the more essential human accountability becomes. He speaks on this through various webinar series, industry podcasts, and annual conferences.

The Brick House: Continuous Penetration Testing—Defending Against the Modern Threat Actor
Join GuidePoint Security’s expert panel to explore how continuous penetration testing defends against modern threat actors on the Brick House webinar.
Watch Now

Related Articles

View All

  • Threat & Attack Simulation
The Brick House: Continuous Penetration Testing—Defending Against the Modern Threat Actor
Read More < 1 min read
  • Blog
Cyber Insurance Planning: Putting an Incident Response Retainer to Work 
Posted by: Nate Spurrier
Read More 2 min read
  • Blog
Security in the Vibe Code Era, Part 1: There’s No Gate to Keep
Posted by: Victor Wieczorek
Read More 7 min read