When organizations invest in penetration testing, they’re often unsure what to expect from the process. A recent online discussion raised an important question: “Is our pen test provider’s approach normal, or are we getting shortchanged?”
It’s a fair concern. Unlike compliance audits, penetration tests don’t follow a single rigid script. There’s room for differences in methodology, but there are also red flags that distinguish high-quality, manual penetration tests from rushed, scan-based exercises.
If you’re about to engage a provider, or if you’re reflecting on the value of a recent test, here’s what you should know.
What a Normal Pen Test Should Include
A professional penetration test typically follows a structured lifecycle:
- Scoping & Goal Setting
The provider should start by understanding your business objectives. Are you testing for compliance, preparing for a product launch, or validating security after a major change? This shapes the test’s scope, timelines, and deliverables. - Reconnaissance & Mapping
Testers map out your attack surface: domains, IP ranges, exposed services, and potential entry points. Even in a gray-box scenario (where you provide some access), this stage ensures testers know what attackers could discover. - Exploitation
This is where the difference between providers becomes clear. A high-quality test goes beyond “running a scan” to actively exploit vulnerabilities, chain weaknesses together, and demonstrate real business impact. - Post-Exploitation & Lateral Movement
Many breaches don’t stop at the first foothold. Testers should simulate what an attacker could do next, moving across systems, escalating privileges, or accessing sensitive data. - Reporting & Remediation Guidance
The final report shouldn’t just be a laundry list of CVEs. It should connect findings to business risk, explain potential attack paths, and provide prioritized remediation recommendations.
If your provider skips or glosses over these stages, you’re not getting a true penetration test.
Red Flags That Suggest a Provider Is Cutting Corners
While every engagement looks a little different, here are common warning signs:
- Overreliance on Automated Scans
If your report looks like something Nessus or Qualys could generate, chances are you paid for a glorified vulnerability scan, not a pen test. - Minimal Exploitation or Proof of Impact
A good tester will demonstrate risk. If findings are theoretical only, with no attempt to show what an attacker could really do, you’re missing the most valuable part of testing. - One-and-Done Communication
Professional testers don’t disappear after kickoff and reemerge weeks later with a PDF. Expect regular check-ins, especially if they uncover critical risks mid-test. - No Context for Your Business
A bank, a SaaS company, and a hospital face different risks. If your report feels generic, your provider may not have tailored the test to your environment.
Why the Difference Matters
Cybersecurity budgets are tight, especially for SMBs. Paying thousands for a test that doesn’t go beyond scanning wastes both money and opportunity.
The value of penetration testing lies in what scanners can’t do:
- Chaining vulnerabilities together into attack paths that show how real attackers break in.
- Simulating human ingenuity, like phishing, credential abuse, or business logic exploitation.
- Exposing blind spots in monitoring and detection that your SOC team needs to know about.
- Prioritizing remediation based on exploitability, not just theoretical severity.
Without these elements, you don’t have assurance; you just have noise.
What “Normal” Should Mean for You
At the end of the day, penetration testing isn’t just about checking a compliance box. It’s about trust: knowing your provider is applying the same level of scrutiny an attacker would.
So, when you hear yourself wondering, “Is this normal?”, remember:
- Normal should mean manual, human-driven testing.
- Normal should mean transparent communication throughout the process.
- Normal should mean reports that go beyond scans and CVEs, showing impact and providing actionable next steps.
Anything less? That’s not normal, it’s a shortcut. And shortcuts are something attackers are counting on you to take.
Bottom line: If your last pen test left you questioning its value, you’re not alone. Many providers lean on automation, but that doesn’t mean you have to settle. Demand a provider that treats testing as a partnership, not a checkbox.
MainNerve provides comprehensive manual penetration testing. Contact us today for a free scoping review.
