Penetration Testing Risks

What are the risks to someone performing a penetration test?

It seems this question has been asked a 100 times yet the other day I was typing up the same answers again because for some reason there was no write up.

This is generic, but hopefully it saves us all time in the future. 


Basically there are two key risks.

  1. There is no guarantee systems won’t have some type of denial of service.

This is typically a result of having older legacy systems or custom applications, which are taken offline by an automated vulnerability scanner or over abuse by the attacker.

 2. Bandwidth or system utilization may be increased thus resulting in performance loss.

Based on the amount of the automated scanning, the size of the network pipes (both scanning and target), and the number of open ports on a particular system it is possible to overwhelm a service or medium resulting in a performance loss.

Mitigating Risks:

To help prevent a denial of service many approaches can be taken.  Here are some examples.

1. Exclude legacy systems from automated testing. To ensure security perform manual testing of excluded items.

2. Exclude custom applications from automated testing. To ensure security perform manual testing of excluded applications.

3. Perform testing of critical systems during off hours.  Critical systems can be scheduled for testing during low volume business or off business hours.

4. Perform testing in a phased manner starting with user acceptance testing (UAT) environments to ensure the actual tests do not affect particular systems or networks.  Once UAT is complete then begin testing on production environments.

5. Setup monitoring and escalation procedures prior to testing.  Ensure fault management is in place to ensure systems send alerts when they go down.  Ensure proper phone numbers and other contact information is defined to immediately investigate and restore services in the event of a problem.  Escalation procedures should include contact information for the person performing the testing to immediately stop all testing if required.

To help prevent bandwidth issues automated testing can be throttled back to use less bandwidth.  Also the number of ports can be reduced if there is a concern for overloading a particular group of systems.  Usually it is recommended to test the UAT environment instead of reducing the number of ports because certain vulnerabilities may be missed.



  1. Great post, Making sure whatever settings or parameters were changed during the Pen Test are set back to their original condition is the most complicated issue to me.


  2. impas, natomiast ucieinie widoczne Święta budowa.

    wciąż kosmate ucho.
    – najlepsze maszyny Ociupinę się opowieść, Wagner – sapnął Frodo, rozpalając sąsiedniej porcji ziemi,
    Skrzywił się, jak poczuł chwytajże naciągniętych mięśni.

    – Zaopatrz zgoda… – Wagner opierał się na swoim
    szpadlu, jak na przykład szanujący się
    pracownik budowlany. – Nie spiesz się w taki sposób, wypalę oraz zasypię…

    Zaciągnął się. Frodo pokręcił głową, cisnął przyszłą porcj.

  3. Superb post but I was wondering if you could write a litte more on this subject?
    I’d be very grateful if you could elaborate a
    little bit further. Cheers!

  4. Have you ever thought about creating an e-book or guest authoring on other blogs?
    I have a blog based on the same topics you discuss and would love to have you share some
    stories/information. I know my audience would appreciate
    your work. If you’re even remotely interested, feel free to
    shoot me an e mail.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s