If you have to ask, you’re not alone

Most Belgian business leaders have heard the term. Few have a clear picture of what penetration testing actually involves, who needs it, or what separates a real security engagement from an expensive compliance exercise.

This post tries to answer those questions plainly.

What a penetration test actually is

A penetration test is a controlled, authorized attempt to break into your systems the way a real attacker would.

A security professional is given a defined scope, a set of rules of engagement, and a mandate to find weaknesses. They use the same techniques and tools as a malicious attacker. The difference is they are working with your permission, they document what they find, and they tell you how to fix it.

The question a good penetration test answers: if a skilled attacker targeted your organization right now, what would they find and how far could they get?

That is different from confirming you have the right controls on paper. A lot of what gets sold as security testing is closer to the latter. Knowing the difference matters before you spend money on it.

What it is not

A vulnerability scan is not a penetration test. Automated scanners find known weaknesses quickly and cheaply. They are useful as a baseline. They cannot chain findings together, probe business logic, or find the gap between what a system is supposed to do and what it actually does under pressure. That requires a human tester.

An audit is not a penetration test either. An audit checks whether you have implemented certain controls. A penetration test checks whether those controls hold up under adversarial conditions. Both are useful. They answer different questions.

And a penetration test is not a one-time certification. Your environment changes, new code ships, configurations drift. A test is a snapshot. Organizations with mature security programs test regularly and treat the results as input into an ongoing process, not a finished product.

How an engagement works

Most penetration tests follow a recognizable structure, though specifics vary by scope and tester.

Scoping and rules of engagement. Before anything technical happens, the scope gets defined. What systems are in scope? What attack techniques are permitted? Is this a black-box test (the tester starts with no prior knowledge, simulating an external attacker) or white-box (the tester has access to architecture diagrams, source code, credentials)? Are there production systems that need careful handling?

Getting this right matters. Good scoping focuses effort on what actually matters to your business and prevents surprises.

Reconnaissance. The tester maps the attack surface: domains, IP ranges, exposed services, publicly available information about your technology stack and personnel. Belgian organizations often have a broader attack surface than they expect. Public web applications, APIs, cloud services, remote access infrastructure, supplier integrations — each is a potential entry point.

Exploitation. This is where tester skill matters most. Automated tools flag potential vulnerabilities. Only a human connects them into realistic attack paths. A misconfigured API endpoint, a weak JWT implementation, and an overpermissioned service account in combination can reach data that none of them expose individually. That kind of chaining is what separates genuine testing from scanner output.

Post-exploitation. In more comprehensive engagements, once initial access is gained, the tester continues: escalating privileges, moving laterally, accessing data. The question shifts from “can we get in?” to “how far can we get and what can we reach?” For organizations handling sensitive personal or financial data, this part of the picture is often more important than knowing a single entry point exists.

Reporting. This is the deliverable. Quality varies enormously.

A useful report has an executive summary written for someone who needs to understand risk and make decisions — not someone who wants to read CVE references. It has technical detail sufficient for engineers to reproduce and fix each finding. Risk ratings are calibrated to your actual environment, not generic severity scores. And every finding has evidence: screenshots, request and response pairs, proof of concept code where relevant. Generic recommendations to “patch systems” are not remediation guidance.

The different types

Not all penetration tests are the same. What you need depends on what you are trying to protect and what questions you are trying to answer.

External network testing covers what an attacker targeting your internet-facing infrastructure can access: your exposed IP ranges, domains, and services. This is usually the starting point for organizations that have not done this before.

Web application testing focuses on the security of your web applications: authentication flows, session management, input handling, access controls, API endpoints. Any organization with a customer-facing application should be doing this regularly. Once a year is a floor, not a ceiling.

Internal network testing simulates what an attacker can do once they are already inside your network, whether through a phishing attack, a compromised device, or physical access. Internal tests tend to reveal how far the damage could spread after initial access — which is usually further than organizations expect.

Mobile application testing covers iOS and Android applications: client-side vulnerabilities, insecure data storage, API security. Relevant for any organization with a mobile app that handles user data.

Social engineering tests whether your employees can be manipulated into revealing credentials or granting access, through phishing emails, phone calls, or in-person pretexts. The human element is often where otherwise technically sound defenses fail.

Red team assessments go beyond a standard penetration test. Rather than finding as many vulnerabilities as possible within a defined scope, a red team simulates a realistic adversarial campaign: initial access, persistence, lateral movement, and achieving specific objectives without being detected by your security team. Red team engagements test your detection and response capabilities, not just your technical controls. If you have done penetration testing before and want to know how your security operations would hold up against a skilled, patient attacker, a red team assessment is usually the more instructive exercise.

The Belgian regulatory context

Belgian organizations face overlapping security obligations that either require or strongly imply regular penetration testing.

GDPR Article 32 requires “regular testing, assessing and evaluating the effectiveness of technical and organisational measures.” That is not a suggestion. The Belgian Data Protection Authority (GBA/APD) has shown it will act on inadequate security practices, and “we had controls in place” is not a sufficient defense if you cannot demonstrate they work.

NIS2, transposed into Belgian law in late 2024, extends mandatory cybersecurity obligations to thousands of organizations across 18 sectors, with explicit requirements around vulnerability handling and security testing.

DORA imposes threat-led penetration testing requirements on financial entities. For larger institutions, this means TIBER-EU-aligned red team exercises conducted at defined intervals.

On top of these, sector-specific requirements from the NBB, FSMA, and European supervisory authorities add further obligations for financial services firms, payment processors, and critical infrastructure operators.

The regulatory pressure is real and getting heavier. But treating penetration testing purely as a compliance cost is the wrong frame. A test that only produces a report for regulators is a test where you did not get the value.

The threat reality

Belgian organizations are targets. The Centre for Cybersecurity Belgium documents ransomware campaigns, business email compromise, and supply chain attacks hitting Belgian companies across every sector, including manufacturing, healthcare, logistics, and professional services.

The assumption that attackers focus on large organizations is wrong and expensive to be wrong about. Financially motivated attackers run industrialized operations and target SMEs opportunistically. The barrier is not company size; it is the difficulty of compromise.

A penetration test costs a fraction of what a breach does. GDPR fines alone can reach €20 million or 4% of global annual turnover. Belgian ransomware incidents in recent years have produced weeks of operational disruption and recovery costs that dwarf the investment a regular testing program would have required.

Choosing a provider

Ask about methodology. A credible team will walk you through their approach in detail. References to OWASP Testing Guide, PTES, or TIBER-EU are reasonable indicators. Vague answers about proprietary methods are not.

Ask who does the actual work. Certifications (OSCP, OSWE, CREST, GXPN) are a baseline, but demonstrated experience in your specific environment type matters more. Ask for anonymized examples. Ask about the most interesting thing they found recently and how they found it.

Ask for a sample report before signing anything. If it reads like formatted scanner output, you know what the engagement will produce.

Local context matters more than it looks on paper. Testing Belgian web applications that integrate with eID or CSAM authentication, or that handle data under sector-specific Belgian regulations, is different from testing a generic international application. Testers who understand the local regulatory environment and threat landscape will produce a more useful risk assessment.

After the test

A penetration test without follow-through is money spent on a document. After delivery, triage findings by actual business impact with your engineering or IT team, prioritize the fixes that close the most significant attack paths, and plan a retest to confirm the work was done correctly.

Good providers include retest windows in the engagement. Use them.

Then plan the next test. Once a year is a reasonable starting point for low-risk profiles. Organizations handling sensitive personal data, operating critical services, or under NIS2 or DORA obligations should be testing more frequently. The right cadence depends on how fast your attack surface changes.

Where to start

If your organization has never had an independent penetration test, start with an external network and web application assessment covering your public-facing systems. That gives you the most immediate visibility into what an external attacker could access today.

If you have questions about scope, approach, or what makes sense for your environment, we are happy to talk through it.