FAQ
Commissioning a Penetration Test

Most companies that regularly perform penetration tests opt for an annual cycle. On one hand, various standards require annual testing; on the other hand, an annual penetration test can be easily integrated into budget planning. Conducting a penetration test every nine months, for example, would be difficult to align with financial planning. A semi-annual schedule — meaning two tests per year — is often too expensive for most.

However, there are companies that conduct penetration tests twice a year, focusing on different aspects each time. From a security and risk management perspective, it would be ideal to perform a penetration test after every significant system change. In practice, however, this often fails due to limited personnel and financial resources.

Before a penetration test is conducted, it may be necessary to establish contractual agreements addressing data protection requirements. This ensures compliance with legal regulations (e.g., GDPR) and clearly defines the responsibilities and obligations between the client and the penetration tester. The scope of personal data processing during a penetration test largely depends on the specific objectives of the engagement. The following types of personal data may be processed during a penetration test:

  • Personal Data of One or More Client Contacts

    This typically includes the first name, last name, business email address, business phone number, and position within the company. These personal details are usually stored and processed in email clients, on mail servers, within phone systems, in calendar entries, and in the final penetration test report. It may sound trivial – and in this case, it is – but this information is necessary for communication between client and tester. Such data is always processed and is often publicly available anyway.

  • Personal Data of Other Employees

    When the objective of the penetration test targets the corporate network, contact with employee personal data is often unavoidable. For external penetration tests, this is less common, but for internal tests, especially those involving Active Directory, it is almost inevitable. At a minimum, tester may obtain the names of employees. A common part of internal testing involves attempting to escalate privileges or gain access to additional accounts and systems. If successful – which becomes more likely as the number of employees increases – the tester may obtain valid passwords or at least password hashes. To conduct the test, at least this data must be processed locally on the tester's device. Further escalation, such as account compromise or bypassing access controls, may expose even more information. In the worst-case scenario, such as a full compromise of Active Directory, a large volume of personal data could become accessible. However, it is not necessary to copy this data to the penetration tester's systems – quite the opposite: it should be avoided wherever possible. There is no operational need to do so.

  • Personal Data of the Client’s Customers

    Personal customer data may be encountered when production systems are tested. A straightforward example is an online store. Securing customer data in such systems is a primary goal of penetration testing. Part of the test is to determine whether it is possible to gain unauthorized access to customer records. If successful, individual customer data entries may be temporarily displayed and thus processed locally on the tester’s device.

In the latter two cases, it may be advisable to conclude a data processing agreement (DPA). The focus should always be on the principle of data minimization. A penetration tester is – obviously – not a malicious attacker, and there is no need to process significant volumes of personal data. Only for reporting purposes is it necessary to find a reasonable compromise between anonymization and pseudonymization. For example, if login credentials are successfully obtained during the penetration test, they must be included in the report to provide the client with the relevant information. However, these credentials should not be linked to specific individuals.

Penetration Testing
FAQ

Our FAQ provides clear answers to common questions – straight from pentesting experts and completely ad-free.

binsec FAQ logo

Introduction to Pentesting

What is a penetration test? What types of penetration tests are there? What is the difference between a vulnerability scan and a penetration test? Read more.

Commissioning a Penetration Test

How often should a penetration test be conducted? What data protection regulations are necessary for a penetration test? Read more.

Career Goal: Penetration Tester

How to become a Penetration Tester? Should I Learn Kali Linux to Become a Penetration Tester? Read more.

Penetration Testing

Since 2013 we conduct professional penetration test, based on international industry standards and years of experience in penetration testing, red teaming and hacking.

As a company for professional penetration testing, we do some things differently than other pentest provider: As a penetration test firm, we do not sell vulnerability scans as pentest. We do also focus on business security risks. You are looking for a professionally conducted penetration tests? Get the binsec team for your Pentest. Read more about our pentest service.

Contact us

Pentest Knowledge and Tools

binsec.tools logo

Free pentest tools for your security analysis.

Pentest Tools
binsec.wiki logo

Take a look at our wiki page about pentesting.

Pentest WIKI
binsec FAQ logo

Straight answers to common pentesting questions.

Pentest FAQ

Company

binsec GmbH
Solmsstraße 41
60486 Frankfurt am Main
Germany

Legal notice

Director: Patrick Sauer
Authorised Officer: Florian Zavatzki, Dominik Sauer
Registration: Frankfurt am Main, HRB97277
Turnover Tax Identification No.: DE290966808

© 2025 All rights reserved by binsec GmbH.

© 2025 All rights reserved by binsec GmbH.