Frequently Asked Questions
What exactly is a penetration test?
A penetration test (or "pentest") is a simulated cyberattack against your systems to identify and assess vulnerabilities before real attackers can exploit them. Think of it as hiring an ethical hacker to try and break in — not to cause damage, but to show you exactly how someone else could.
At MyPentestPal, we go beyond surface-level scans. We dig into your applications, APIs, infrastructure, and configurations to identify the gaps that automated tools and checkbox reports usually miss. Then we clearly document the issues, demonstrate the impact, and guide you through fixing them.
Why do I need a pentest if I already have antivirus and firewalls?
Firewalls and antivirus software are like locks on your doors — useful, but not foolproof. They can’t tell you if someone already snuck in through a forgotten window, or if your front door was accidentally left ajar during a deployment.
A pentest simulates a real-world adversary and looks at your system the way an attacker would. It’s the only reliable way to see what’s truly exposed and how secure your system is in practice — not just in theory.
What do you test during an engagement?
It depends on your scope and needs. We tailor every engagement to what matters most to your business. That could include:
- Web applications and APIs
- Mobile apps (iOS/Android)
- Internal networks and on-prem infrastructure
- Cloud environments (AWS, Azure, GCP)
- Authentication and access controls
- CI/CD pipelines and DevOps configurations
- Source code review (on request)
If it touches the internet or holds data — it’s in scope. We also include business logic abuse testing, privilege escalation checks, and anything else relevant to your threat model.
How long does a typical assessment take?
This really depends on the scope, complexity, and size of your systems. A small web application might take 3–5 days, while a full cloud environment or multi-product suite could take 2–4 weeks.
We’ll provide an estimated timeline before the engagement starts — and we always work to strike a balance between speed and thoroughness. If you need something fast and focused, we can do that too.
Is this a vulnerability scan or a real pentest?
Real pentest. Always.
We do not offer “report-driven” scans where someone clicks a button and delivers a PDF full of false positives. Our tests are hands-on, manual, and deeply contextual. We use tools to assist us, but never as a substitute for human insight and creativity.
If your current provider only sends automated scan reports, you’re missing the point — and likely still exposed.
What happens if you find something serious?
We’ll tell you. Immediately.
Our team works transparently and will flag critical vulnerabilities the moment they’re confirmed — no waiting until the final report. If something puts your customers, data, or business continuity at risk, we escalate straight away and advise you on immediate remediation steps.
Our goal isn’t just to report — it’s to protect.
Is this legal? Are you hacking us?
Yes — and yes, but with permission.
All of our engagements are fully authorized and documented with legal agreements. You give us permission to test, and we follow strict ethical and legal standards. Nothing is done without your written consent.
We’re here to help you find problems — not create them.
Do you offer retesting or follow-up assessments?
Absolutely. After delivering your report, we’re happy to verify that the fixes have been correctly applied. In fact, we often recommend a retest — it’s the best way to validate that your risk level has genuinely dropped and no new issues were introduced during patching.
We also offer long-term retainer relationships for companies that want ongoing security assessments, check-ins, or rapid response availability.
Will your report help with compliance?
100%. Our pentest reports can support compliance for frameworks like ISO 27001, SOC 2, PCI-DSS, GDPR, HIPAA, and more. We clearly outline findings, severity levels, proof-of-concept examples, and actionable remediation guidance.
If your auditor wants proof you’re testing your systems properly, we’ve got your back.
Do you offer training or support for dev teams?
Yes — and we love doing it. We offer tailored security training for developers, product teams, and infrastructure leads. Everything from secure coding practices to threat modeling and defensive strategies. If your devs are tired of boring PowerPoints, we’re your people.
Real-world examples. Live demos. Zero fluff.
How do I get started?
Simple — submit a free pre-assessment. We’ll take a quick look at your system and confirm we have visibility. Then we’ll send a confirmation and, once you’re happy to proceed, we’ll kick off the full engagement.
Payment details are only sent once everything is locked in. When testing is complete, you’ll receive a full report via our secure portal. You can also reach out anytime at ben@mypentestpal.co.uk or DM me on X (@SimplyBendy).