In a penetration test, the investigation is focused on a very narrow target, i.e. it is limited to a single web application, for example, which is then investigated extensively and thoroughly. We orient ourselves on OWASP Top10, a list of known vulnerabilities in web applications. The investigations are based on automated scans in combination with manual requests, with an attempt to gain unauthorized access to data or functions or to obtain additional rights.

Similar to the assessment, a risk profile is created from the information and presented to the client as a report that includes countermeasures. Approximately 10 days should be allowed for this type of audit, which lasts from 6 to 8 weeks.