Pentest is penetration testing, that is, checking how realistic it is to hack a specific device, service or the entire IT infrastructure of a company. Let’s try to explain without unnecessary technical details in what cases the pentest is needed by the business, who conducts it, what results it gives and how to use them further.
How users and companies are hacked
Perhaps you are familiar with the situation: unexpectedly you receive a message from a person with whom you studied at school or once closely communicated, but in recent years were limited to formal congratulations. The message is confusing, alarming: “got into trouble,” “urgently need money,” “can you help?” Similar stories are becoming more common today.
As the head of a cybersecurity company, I usually do not answer right away in such cases. First, I give the interlocutor to speak out, and then I try to contact the real owner of the account in other ways – by phone or through alternative messengers. Almost always “on the other end of the line” is a person in a state of severe stress. His reaction is comparable to the feelings of a victim of a pickpocket, whose wallet or smartphone was stolen in the subway: “I woke up, and they write to me that they are asking for money on my behalf. I don’t understand anything – what to do, where to run?”
The number of hacking accounts in Telegram and VKontakte is calculated in tens and hundreds of thousands of cases per year. Often, access cannot be restored at all, and a person has to start from scratch. Considering that a significant part of our life has long gone online, such a loss becomes not just an inconvenience, but a serious blow. This is not only about private messages. A large amount of working information also passes through instant messengers and social networks, including data such as corporate passwords, account numbers, contacts of important persons, and sometimes bank card details.
If you “try on” this scenario for business, then it is clear that attacks on companies occur even more often than hacking of private user accounts. These are phishing emails, fake calls with voices simulated using AI, ransomware attacks, and many other vectors. Often, one mistake is enough – yours, or made by a colleague or an ordinary employee – for attackers to gain control over the entire IT infrastructure.
In such a situation, business is threatened not only by ransom demands. Fines are possible for leakage of personal data or for violation of the procedure for interaction with regulators – and they sometimes cost more than the incident itself. Add to this the reputational damage after publications in the media, and the total effect can be fatal for the company.
And when the regulator naturally asks “What did you do to avoid this?,” it will be extremely difficult to answer.
Cyberattacks and their consequences
Attacks on large companies, which were widely reported in the spring and summer of 2025, belong to the APT (Advanced Persistent Threat) class – complex, targeted and sustained attacks. They use several methods at once, and teams of highly qualified specialists are engaged in training. On average, they take six to twelve months to scout and infiltrate.
Even a serious business that has been building an information security architecture for years and investing millions of rubles in protection is not immune from painful consequences. Thus, the July attack on Aeroflot led to the cancellation of 42% of flights in one day, and direct damage was estimated at more than 250 million rubles. In the case of Vinlab, experts talked about losses of up to 1.5 billion rubles, taking into account potential turnover fines for data leakage. Pharmacy chains Stolichka and Neopharm lost about 500 million rubles due to the shutdown of retail outlets, sites and mobile applications.
At the same time, hacking the IT infrastructure of a small company from experienced attackers can take only 15-30 minutes – this is enough to gain access to the database or to the control account. Small businesses are subjected to such attacks on a regular basis, especially if they are a provider of IT solutions or a contractor of large corporations. The level of security of the system is always determined by the weakest link. When companies are interconnected and exchange data through APIs or files, trust in the “reliability” of such channels often turns into a critical vulnerability.
If a large company can still survive a fine or downtime, then for a small contractor such an incident often means the inability to continue working and the actual closure of the business.
It is impossible to predict who will be the target of the next attack. But this does not mean that you cannot prepare for it. That is why it makes sense for small and medium-sized businesses to think about holding pentests.
Pentest is a way to assess your chances of getting out of a crisis situation without loss or with minimal damage. It is widely believed that only large corporations are interested in hackers, and small companies have nothing to fear. In practice, everyone is attacked – just the scenarios and tools will be different.
Who needs a pentest
I use a simple formula: if a company collects, stores or transmits user behavior data, personal data or customer information, then a penetration test is needed for its IT infrastructure.
Hackers in the cinema and in reality
The stereotypical image of a hacker – a hooded man sitting in a dark room and typing some commands on the keyboard at a breakneck speed – has little to do with reality. However, one thing is true in this image: anonymity is really vital for hackers.
Black hats, white hats и другие hats
Hackers who break into legal businesses and critical information infrastructure commissioned by criminal gangs, competitors or even intelligence agencies are classified as black hats. Before the trial, little is usually known about them: nicknames or the names of the groups into which they are united.
“White hackers” – white hats – work legally and with the permission of the customer. Their names are known in a professional environment, the client receives information about their experience and often interacts directly with the team. White hats activities are also surrounded by privacy, but here it is part of the professional standard.
There are also gray hats – specialists whose penetration activities are not authorized, but at the same time are not criminal in nature. They usually notify the company of the vulnerabilities found for reward or for altruistic reasons. However, from a legal point of view, their path may end as sadly as that of black hats.
Separately, it is worth mentioning specialists working within companies or in their own consulting. They are often called blue hats – by analogy with the concept of red team/blue team, where some simulate an attack, while others build a defense. There are also bug bounty hunters – vulnerability hunters who officially participate in open bug programs. In Russia, this market is still poorly developed, but over the past three years, it has grown markedly, and there are already examples of significant savings for customers.
How to become hackers
The question of “how to become hackers” is partly similar to the question of where the Jedi are prepared. At Jedi universities, of course! Future hackers also study at good universities. But in essence, hacking is still more an art than a craft, it implies a vocation and a special type of thinking. Therefore, large information security companies begin the selection of promising specialists from the first courses of specialized universities.
Yes, this creative profession has its own artisans, its own opportunists and its geniuses. But they have one common problem – a strong temptation to “cut down fast money.” Getting on the darknet and communicating with “colleagues,” young specialists do not always pass this test.
If a talent is noticed even before graduation, he is invited to the company, where he continues his studies and passes certification (CEH, OSWA/OSWE, CISSP, etc.). In the future, a “white hacker” can grow to a CISO or security architect. Career prospects here are really very broad.
Do hackers change the color of their hats
The story of Kevin Mitnick, who became a security consultant after prison, is a rare exception. In practice, information security companies are extremely reluctant to work with former professional criminals. Reputational risks are too high, especially when working with large and government customers. Theoretically, the transition from black hat to white hat is possible, but in reality it is rather not.
How to choose a contractor for a penetration test
First, it is worth requesting and checking the constituent documents, the public presence of the company and the experience of its specialists, paying attention to the current certificates. It is useful to study customer recommendations, letters of thanks and conduct interviews with the team.
This is a standard set of actions when choosing professional services. The only specificity is that not every contractor is ready to spend a lot of time on preliminary discussions, so the list of checks should be reasonable.
What pentest looks like in practice
Pentest is an imitation of the actions of an attacker. Different models are used: testing the “black box” when the specialist does not have input, and the “gray box” when he has limited access. The best effect is given by the consistent application of both approaches.
The specialist agrees with the customer a work plan, tools and testing boundaries, then he conducts automated and manual checks of the external and internal perimeter: web services, mobile applications and IT systems. If necessary, the level of awareness of employees is also assessed using social engineering methods.
If a working attack vector is detected, the specialist notifies the customer and agrees on further actions. The result is a detailed report describing the routes of penetration, vulnerabilities, their criticality and recommendations for elimination.
Why you need a pentest report
Information security is a process, not a one-time event. You close one critical vulnerability, but in six months new employees, systems, software and accounts appear. Today you can have ten vulnerabilities, tomorrow – a hundred: old ones can affect an increasing number of systems and data, and new ones can occur along with the installation of updates.
If only the most acute symptom is treated, then the system does not become “healthy.” Fixing vulnerabilities is difficult and expensive, but if you don’t, they accumulate and create a high-risk area.
Human factor
Most of the typical vulnerabilities are repeated from year to year: weak passwords, clicks on phishing links, “forgotten” admin accesses on the devices of ordinary users. The reason is the human factor. There are also almost anecdotal cases when a pentester passes security and reception under the pretext of a forgotten pass and freely enters an unlocked server room.
There are more complex cases. For example, I know of a case when, through a fake interface of a video communication service, employees, including administrators, entered their logins and passwords themselves, trying to “restore” the application. In less than a day, more than 50 accounts were collected, including admin ones, and access to conference records was obtained.
Pentest as an investment in business sustainability
Pentest is often perceived as an optional expense item. But it is more correct to consider it as an investment in the sustainability of the business. The cost of even a deep check is incomparable with the damage from a real attack: fines, downtime, data leakage and reputational losses.
Pentest allows to find weaknesses before attackers do. Moreover, if you constantly postpone it, one day you can learn with horror about your vulnerabilities not from “white hackers,” but from “black” ones.
By Dmitry Livshin, CEO of CYBER | Business Consulting