What Is Penetration Testing?

A penetration test is a controlled, authorized simulation of a cyberattack against your organization's systems, networks, and applications. Unlike vulnerability scanning -- which runs automated checks against databases of known CVEs -- penetration testing involves a skilled operator who thinks like an adversary, chaining together misconfigurations, weak credentials, unpatched software, and business logic flaws to demonstrate actual exploitation paths into your environment.

The objective is not to generate a list of theoretical risks. The objective is to show you, with proof-of-concept evidence, exactly how an attacker could compromise your systems, move laterally through your network, escalate privileges, exfiltrate data, or disrupt operations. A well-executed pen test answers the question every executive and board member needs answered: if someone targeted us today, how far could they get?

Petronella Technology Group (PTG) has been conducting penetration tests for businesses across the Research Triangle and throughout the Southeast since 2002. Our engagements are led by Craig Petronella, a Licensed Digital Forensic Examiner, CMMC Certified Registered Practitioner, and MIT-certified cybersecurity professional with more than 25 years of hands-on offensive and defensive security experience. We do not subcontract pen test work. Your engagement is handled by our in-house team, and every finding is validated manually before it appears in your report.

We test organizations of every size -- from 10-person medical practices in Cary to defense contractors near Fort Liberty (formerly Fort Bragg) handling Controlled Unclassified Information under CMMC. Each engagement is scoped to your specific architecture, threat model, and compliance requirements, using industry-standard methodologies including the Penetration Testing Execution Standard (PTES) and the OWASP Testing Guide.

Types of Penetration Tests We Perform

There is no single "pen test." The type of assessment you need depends on your attack surface, regulatory requirements, and the threat actors most likely to target your organization. PTG offers the following categories of penetration testing, each with distinct scope, methodology, and deliverables.

Network Penetration Testing

External network testing targets your internet-facing perimeter: firewalls, VPN gateways, mail servers, DNS infrastructure, public-facing web servers, and cloud endpoints. We enumerate your external attack surface, identify services exposed to the internet, and attempt exploitation of discovered vulnerabilities. Common findings include misconfigured firewall rules, outdated SSL/TLS implementations, exposed management interfaces, and default credentials on edge devices.

Internal network testing simulates an attacker who has already gained a foothold inside your network -- whether through a compromised endpoint, a rogue employee, or a phished user account. We test Active Directory configurations, network segmentation, privilege escalation paths, credential storage practices, and lateral movement opportunities. Internal tests routinely uncover Kerberoastable service accounts, LLMNR/NBT-NS poisoning opportunities, unpatched internal systems, and excessive user privileges that would allow an attacker to reach domain administrator status within hours.

Web Application Penetration Testing

Web applications are the most common initial attack vector for data breaches. Our web app pen tests follow the OWASP Testing Guide and cover the OWASP Top 10, including injection flaws (SQL, NoSQL, LDAP, XPath, command injection), broken authentication and session management, cross-site scripting (reflected, stored, DOM-based), insecure direct object references, security misconfiguration, sensitive data exposure, XML external entity attacks, broken access controls, cross-site request forgery, and server-side request forgery. We test both authenticated and unauthenticated attack surfaces, review API endpoints, and evaluate business logic for flaws that automated scanners cannot detect -- such as horizontal privilege escalation, race conditions, and parameter tampering.

Wireless Network Penetration Testing

Wireless networks extend your attack surface beyond the physical walls of your building. PTG conducts on-site wireless assessments that include rogue access point detection, WPA2/WPA3 configuration review, PMKID capture and offline cracking attempts, evil twin attacks, client isolation testing, and guest network segmentation validation. For organizations in the Research Triangle with multiple office locations, we test wireless security at each site to ensure consistent policy enforcement.

Social Engineering Penetration Testing

People remain the weakest link in most security programs. Our social engineering assessments test your employees' ability to recognize and resist manipulation. This includes targeted phishing campaigns with custom pretexts relevant to your industry, vishing (voice phishing) calls to helpdesk and reception staff, USB drop campaigns, pretexting scenarios designed to elicit sensitive information, and credential harvesting landing pages. Every social engineering engagement is carefully scoped with your leadership to define acceptable boundaries, and results are presented in aggregate -- we do not single out individual employees for blame. The goal is to identify training gaps and strengthen your human firewall.

Physical Security Penetration Testing

For organizations where physical access to servers, network equipment, or sensitive areas represents a meaningful risk, PTG conducts physical penetration testing. This includes attempting to bypass badge access systems, tailgating through secured doors, testing lock bypass techniques, evaluating security camera coverage, and assessing after-hours access controls. Physical pen tests are particularly relevant for healthcare organizations with server rooms containing PHI, financial institutions, and defense contractors subject to NIST 800-171 physical security requirements.

Our Penetration Testing Methodology

PTG's penetration testing methodology is built on two industry-standard frameworks: the Penetration Testing Execution Standard (PTES) and the OWASP Testing Guide. These frameworks provide a structured, repeatable approach that ensures comprehensive coverage while maintaining the flexibility needed to adapt to each client's unique environment.

PTES defines seven phases of a penetration test: pre-engagement interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting. We follow this lifecycle rigorously. During intelligence gathering, we use both passive reconnaissance (OSINT, DNS enumeration, certificate transparency logs, Shodan, LinkedIn) and active reconnaissance (port scanning, service fingerprinting, directory brute-forcing) to build a complete picture of your attack surface.

For web application testing, we layer in the OWASP Testing Guide, which provides granular test cases across eleven categories covering information gathering, configuration management, identity management, authentication, authorization, session management, input validation, error handling, cryptography, business logic, and client-side testing. Each test case maps to specific vulnerabilities and provides clear pass/fail criteria.

Risk scoring follows the Common Vulnerability Scoring System (CVSS v3.1) framework, supplemented with contextual risk analysis that considers your specific business environment. A SQL injection vulnerability on an internet-facing application containing payment card data receives a different business risk rating than the same technical vulnerability on an internal development server. Our reports reflect this distinction, helping your team allocate remediation resources where they matter most.

We also align our testing with the MITRE ATT&CK framework, mapping discovered attack paths to specific adversary tactics and techniques. This mapping allows your security team to cross-reference our findings against their detection capabilities, identifying gaps in monitoring and alerting that adversaries could exploit.

What You Receive After a Penetration Test

A penetration test is only as valuable as the report it produces. PTG delivers comprehensive documentation designed for two audiences: your executive leadership team and your technical staff responsible for remediation.

• Executive Summary -- A plain-language overview of findings, overall risk posture, and strategic recommendations. Written for non-technical stakeholders, board members, and compliance officers. Includes risk ratings and a visual summary of critical, high, medium, and low findings.
• Technical Findings Report -- Detailed documentation of every discovered vulnerability, including proof-of-concept screenshots, reproduction steps, affected systems, CVSS scores, MITRE ATT&CK mapping, and specific remediation guidance. Each finding includes evidence that an auditor or assessor can reference during compliance reviews.
• Attack Narrative -- A step-by-step walkthrough of the most significant attack chains we demonstrated, showing how individual vulnerabilities were combined to achieve objectives such as domain compromise, data exfiltration, or privilege escalation. This narrative helps your team understand the "so what" behind individual findings.
• Prioritized Remediation Roadmap -- A ranked list of remediation actions ordered by risk reduction impact, implementation effort, and quick-win opportunities. We separate findings into immediate (patch within 48 hours), short-term (30 days), and strategic (90 days) categories.
• Raw Scan Data and Tool Output -- Nmap results, Nessus/OpenVAS output, Burp Suite logs, and other tool artifacts provided for your security team's reference and archival.
• Remediation Verification Re-Test -- After your team addresses critical and high findings, PTG performs a targeted re-test to verify that vulnerabilities have been properly remediated. This re-test is included in every engagement at no additional charge.

Compliance Frameworks That Require Penetration Testing

Multiple regulatory frameworks either mandate or strongly recommend regular penetration testing. If your organization is subject to any of the following, periodic pen testing is not optional -- it is a documented requirement with specific frequency and scope expectations.

CMMC (Cybersecurity Maturity Model Certification)

Defense contractors in the Research Triangle working with Controlled Unclassified Information (CUI) must achieve CMMC Level 2 or higher. CMMC Level 2 maps to 110 security controls from NIST SP 800-171, including requirements for vulnerability scanning and security assessment. Level 3 incorporates NIST SP 800-172 enhanced controls that explicitly require penetration testing to validate the effectiveness of security measures. PTG's Craig Petronella holds CMMC Certified Registered Practitioner (CRP) credentials and has guided dozens of defense contractors near Fort Liberty and across North Carolina through the certification process.

HIPAA (Health Insurance Portability and Accountability Act)

The HIPAA Security Rule requires covered entities and business associates to conduct periodic "technical evaluation" of security controls in response to environmental or operational changes (45 CFR 164.308(a)(8)). The HHS Office for Civil Rights interprets this to include penetration testing as a component of a risk analysis program. Healthcare organizations, medical practices, dental offices, and health IT companies throughout Raleigh-Durham should conduct pen tests annually and after any significant infrastructure change to satisfy HIPAA requirements and reduce breach risk.

PCI DSS (Payment Card Industry Data Security Standard)

PCI DSS Requirement 11.4 explicitly mandates penetration testing at least annually and after any significant infrastructure or application change. The scope must cover all systems in the cardholder data environment (CDE) and any systems that could affect the security of the CDE. Both internal and external pen tests are required, and the testing methodology must follow an industry-accepted approach such as PTES or NIST SP 800-115. PTG's pen test reports are formatted to satisfy PCI DSS evidence requirements for QSA assessments.

SOC 2 Type II

While SOC 2 does not prescribe specific testing methodologies, the Trust Services Criteria require organizations to demonstrate that they regularly test security controls and identify vulnerabilities. Penetration testing is the most direct way to satisfy CC7.1 (detection of changes to the system) and CC7.2 (monitoring for anomalies and evaluation of events). Auditors reviewing SOC 2 Type II reports routinely expect to see evidence of regular penetration testing as part of a mature security program.

Additional Frameworks

FTC Safeguards Rule (effective June 2023) requires non-bank financial institutions to conduct annual penetration testing. NIST Cybersecurity Framework recommends pen testing under the Identify and Protect functions. ISO 27001 Annex A.12.6 addresses technical vulnerability management and pen testing supports compliance. GDPR Article 32 requires "regular testing, assessing and evaluating the effectiveness" of security measures, for which pen testing provides documented evidence.

Our Penetration Testing Process

Every PTG pen test engagement follows a structured five-phase process. This lifecycle ensures thorough coverage, clear communication, minimal operational disruption, and actionable output.

Penetration Testing Explained

See how PTG approaches penetration testing and what to expect from an engagement.

Deep Expertise, Local Accountability, Proven Track Record

Choosing a penetration testing provider is a decision that directly impacts your security posture and compliance standing. Here is why organizations across the Research Triangle, from healthcare systems in Durham to defense subcontractors near Fort Liberty, trust PTG with their most sensitive security assessments.