Commissioning a Penetration Test (FAQ)

Before a penetration test is conducted, it may be necessary to establish contractual agreements addressing data protection requirements. This ensures compliance with legal regulations (e.g., GDPR) and clearly defines the responsibilities and obligations between the client and the penetration tester. The scope of personal data processing during a penetration test largely depends on the specific objectives of the engagement. The following types of personal data may be processed during a penetration test:

• Personal Data of One or More Client Contacts

  This typically includes the first name, last name, business email address, business phone number, and position within the company. These personal details are usually stored and processed in email clients, on mail servers, within phone systems, in calendar entries, and in the final penetration test report. It may sound trivial – and in this case, it is – but this information is necessary for communication between client and tester. Such data is always processed and is often publicly available anyway.

• Personal Data of Other Employees

  When the objective of the penetration test targets the corporate network, contact with employee personal data is often unavoidable. For external penetration tests, this is less common, but for internal tests, especially those involving Active Directory, it is almost inevitable. At a minimum, tester may obtain the names of employees. A common part of internal testing involves attempting to escalate privileges or gain access to additional accounts and systems. If successful – which becomes more likely as the number of employees increases – the tester may obtain valid passwords or at least password hashes. To conduct the test, at least this data must be processed locally on the tester's device. Further escalation, such as account compromise or bypassing access controls, may expose even more information. In the worst-case scenario, such as a full compromise of Active Directory, a large volume of personal data could become accessible. However, it is not necessary to copy this data to the penetration tester's systems – quite the opposite: it should be avoided wherever possible. There is no operational need to do so.

• Personal Data of the Client’s Customers

  Personal customer data may be encountered when production systems are tested. A straightforward example is an online store. Securing customer data in such systems is a primary goal of penetration testing. Part of the test is to determine whether it is possible to gain unauthorized access to customer records. If successful, individual customer data entries may be temporarily displayed and thus processed locally on the tester’s device.

In the latter two cases, it may be advisable to conclude a data processing agreement (DPA). The focus should always be on the principle of data minimization. A penetration tester is – obviously – not a malicious attacker, and there is no need to process significant volumes of personal data. Only for reporting purposes is it necessary to find a reasonable compromise between anonymization and pseudonymization. For example, if login credentials are successfully obtained during the penetration test, they must be included in the report to provide the client with the relevant information. However, these credentials should not be linked to specific individuals.