This website uses cookies. View our cookie policy

Levels of Penetration Tests

Which level of test do you need?

The below table provides a comparison of the different levels of tests available to assess and exploit potential vulnerabilities on your networks and systems. Any combinations of the below tests are available, depending on client requirements. The scope of each test is established and agreed based on detailed consultation with our clients.

In most cases, IT Governance’s CREST-approved penetration testing team recommend a Level 1 Penetration Test that will identify exploitable vulnerabilities before they can be uncovered by an indiscriminate cyber attack.

Level 1 Penetration Test

Our Level 1 Penetration Test identifies potential vulnerabilities that your networks, systems, websites and web applications, or wireless networks may be exposed to.

Combining a series of manual assessments – where systematic and logical thought processes, analytical thinking and skilful decision-making are required – with automated scans, our team is able to assess the true extent of your system or network’s vulnerabilities.

Conducted by highly skilled ‘ethical hackers’, the Level 1 Penetration Test includes a detailed report providing recommendations for fixing any holes and addressing each of the identified issues. This type of test provides a good overview of an organisation’s security posture and in most cases is a faster and more cost-effective solution than the lengthier Level 2 Penetration Test.

Level 2 Penetration Test

This test involves looking at the potential vulnerabilities identified and explicitly trying them one by one to see if the tester can obtain access to the resources.

A Level 2 Penetration Test is a painstakingly detailed process of identifying security holes and vulnerabilities in your hardware and software (including printers, fax machines, workstations), systems or web applications and then attempting to exploit them. Due to the extent of these tests, Level 2 Penetration Tests often take several weeks to complete and are usually only recommended to clients who require a complex cyber attack simulation.

Vulnerability scans

A vulnerability scan is a series of automated tests that provide a very high-level overview of the potential vulnerabilities. Vulnerability scans do not provide the deep analysis and insights of a vulnerability assessment or a penetration test, due to the expertise, experience and depth of combined automated and manual tests employed by penetration testing teams.

Detail of test Vulnerability Scan ITG Penetration Test – L1 ITG Penetration Test – L2
Pre-assessment client scoping and consultation Tick Tick Tick
Scope of assessment Agreed with client Agreed with client Agreed with client
Fixed-price package available --- Yes, limited scope ---
Can be conducted internally and externally Tick Tick Tick
Identification of potential vulnerabilities Tick Tick Tick
Identification of configuration vulnerabilities Tick Tick Tick
Identification of potential security loopholes --- Tick Tick
Immediate notification of critical issues Tick Tick Tick
Automated scanning Tick Tick Tick
Manual scanning --- Tick Tick
Manual testing --- Tick Tick
Manual grading of vulnerabilities --- Tick Tick
Exploitation of potential vulnerabilities to establish the impact of an attack --- --- Tick
Type of report generation Automated report Manually written Manually written
Executive summary in business terms --- Tick Tick
Technical report with remedial actions per identified issue --- Tick Tick
Where used
Facilitates compliance with the PCI DSS (dependent on compliance category) Not recommended Tick Tick
Facilitates compliance with ISO27001 Not recommended Tick Tick
When to conduct tests
On a regular basis Tick Tick Tick
After changes have been made to the network/website Tick Tick Tick
After a data breach Not recommended Tick Tick

Speak to an expert

For more information and guidance on penetration testing or packages IT Governance offers, please contact our experts who will be able to discuss your organisations needs further.