Why This Guide Exists
Buying penetration testing services for the first time, or even the fifth time, can be confusing. The market is full of jargon, pricing varies wildly, and it is difficult to know whether you are getting a thorough assessment or an automated scan dressed up with a professional report. This guide is written for IT managers, CISOs, and business owners in Luxembourg who need to make informed decisions about penetration testing.
We will cover what penetration testing actually is, the different types available, what drives costs, how to scope an engagement properly, and how to prepare your organisation to get maximum value from the exercise.
What Is Penetration Testing?
Penetration testing is a controlled, authorised attempt to exploit vulnerabilities in your systems, networks, or applications by simulating the techniques used by real attackers. Unlike a vulnerability scan, which identifies known weaknesses automatically, a penetration test involves skilled human testers who chain vulnerabilities together, use creative attack paths, and attempt to demonstrate real business impact.
The output is not a list of CVEs. It is a narrative that shows how an attacker could compromise your environment, what they could access, and what the business consequences would be.
Key distinction: A vulnerability scan tells you what could be exploited. A penetration test tells you what can be exploited and what happens next.
Types of Penetration Tests
External Network Penetration Test
Tests your internet-facing infrastructure: web servers, email gateways, VPN endpoints, cloud services, DNS. The tester works from the internet with no internal access, simulating an external attacker.
Typical duration: 3-5 days
When to use: Annually, or after significant changes to your external-facing infrastructure.
Internal Network Penetration Test
Simulates an attacker who has gained initial access to your internal network, perhaps through a compromised employee workstation, a physical intrusion, or a rogue device. Tests Active Directory security, network segmentation, lateral movement paths, and privilege escalation.
Typical duration: 5-10 days
When to use: Annually. Critical for organisations in regulated sectors (CSSF-supervised entities are often expected to conduct internal testing).
Web Application Penetration Test
Focuses on a specific web application, testing for OWASP Top 10 vulnerabilities, business logic flaws, authentication and session management issues, and API security. Goes beyond automated scanning to test complex, multi-step attack scenarios.
Typical duration: 5-10 days per application (depending on complexity)
When to use: Before major releases, annually for production applications, and whenever significant changes are deployed.
Wireless Penetration Test
Tests the security of your wireless networks: WPA2/WPA3 configuration, rogue access point detection, guest network isolation, and wireless-to-wired pivoting.
Typical duration: 2-3 days (requires on-site presence)
When to use: Annually, particularly if you have guest Wi-Fi or BYOD policies.
Social Engineering Assessment
Tests the human element: phishing simulations, vishing (phone-based social engineering), physical social engineering (tailgating, impersonation). Not a traditional penetration test, but often combined with technical testing for a comprehensive view.
Typical duration: 5-10 days
When to use: Annually, particularly in preparation for security awareness training updates.
Cloud Penetration Test
Tests your cloud infrastructure (AWS, Azure, GCP) for misconfigurations, excessive permissions, insecure storage, and cloud-specific attack vectors. Requires testers with specific cloud platform expertise.
Typical duration: 5-8 days
When to use: Annually, or after significant cloud architecture changes.
Understanding the Testing Methodology
Professional penetration testers follow a structured methodology. While specific approaches vary, most follow a pattern based on industry standards like PTES (Penetration Testing Execution Standard) or OWASP Testing Guide:
- Reconnaissance: Gathering information about the target using passive (OSINT) and active techniques. Domain names, IP ranges, employee names, technology stack, leaked credentials.
- Scanning and enumeration: Identifying live hosts, open ports, running services, and potential entry points.
- Vulnerability identification: Identifying weaknesses that could be exploited. Combines automated scanning with manual analysis.
- Exploitation: Attempting to exploit identified vulnerabilities to gain access. This is where human skill differentiates a penetration test from a scan.
- Post-exploitation: If access is gained, what can the tester achieve? Privilege escalation, lateral movement, data access, persistence.
- Reporting: Documenting findings with evidence, risk ratings, and actionable remediation recommendations.
What Does Penetration Testing Cost in Luxembourg?
Pricing in Luxembourg reflects the local cost of skilled professionals and the regulatory environment. Here are realistic ranges based on current market rates:
| Test Type |
Duration |
Price Range (EUR) |
| External Network Pentest |
3-5 days |
4,000 - 10,000 |
| Internal Network Pentest |
5-10 days |
8,000 - 20,000 |
| Web Application Pentest |
5-10 days |
7,000 - 18,000 |
| Wireless Pentest |
2-3 days |
3,000 - 7,000 |
| Social Engineering |
5-10 days |
5,000 - 15,000 |
| Cloud Pentest |
5-8 days |
8,000 - 18,000 |
| Comprehensive (External + Internal + App) |
15-25 days |
18,000 - 45,000 |
What drives cost up: Large scope (many IPs, multiple applications), complex environments (hybrid cloud, legacy systems), compliance requirements (CSSF, PCI DSS), reporting in multiple languages, tight timelines, retesting after remediation.
What drives cost down: Clear scope definition, good documentation provided to testers, annual retainer agreements, combining multiple test types in one engagement.
Warning signs on pricing: If someone offers a "full penetration test" for EUR 2,000, you are likely getting an automated vulnerability scan with a template report. Conversely, if the quote exceeds EUR 50,000 for a straightforward SME environment, ensure the scope justifies it.
How to Scope a Penetration Test
Poor scoping is the number one reason penetration tests deliver disappointing results. Either the scope is too broad (tester spends all their time on low-value targets) or too narrow (critical systems are excluded).
When defining scope, prepare the following information:
- Objectives: What do you want to learn? "Can an attacker reach our customer database?" is a better objective than "test everything."
- IP ranges and domains: Exactly which systems are in scope? Provide a complete list of external IP addresses, domain names, and internal network ranges.
- Applications: For web application tests, list each application, its URL, authentication requirements, and user roles to test.
- Exclusions: Are any systems off-limits? Production systems that cannot tolerate disruption? Third-party hosted services?
- Testing window: When can testing occur? Business hours only? Weekends? Are there blackout periods?
- Rules of engagement: Can the tester attempt denial-of-service? Social engineering? Physical access? What requires advance approval?
- Contacts: Who should the tester notify if they discover a critical vulnerability during testing? Who is the emergency contact if something goes wrong?
How to Prepare: The Pre-Engagement Checklist
Good preparation maximises the value of every testing day. Here is what to do before the testers arrive:
- Sign the authorisation letter. This is legally essential. It explicitly authorises the testing firm to probe your systems. Without it, testing could constitute a criminal offence under Luxembourg law (Articles 509-1 to 509-7 of the Penal Code).
- Notify your hosting and cloud providers. AWS, Azure, and most hosting providers require advance notice of penetration testing. Failure to notify can result in your infrastructure being flagged or suspended.
- Inform your SOC or managed security provider. If you have a security monitoring team (internal or external), inform them that testing will occur during the specified window. Decide whether you want them to detect and respond normally (which tests your detection capabilities) or to whitelist the testers' IP addresses.
- Prepare test accounts. For authenticated testing (web applications, internal networks), create dedicated test accounts at each privilege level. Do not share your own credentials.
- Document your environment. Provide network diagrams, application architecture documentation, and a list of technologies in use. This allows testers to spend time finding vulnerabilities rather than mapping your environment.
- Establish the communication channel. Agree on how the testing team will communicate during the engagement. A shared Slack channel or Teams group works well for real-time updates.
- Define the critical finding protocol. What should the tester do if they find a critical, actively exploitable vulnerability? Agree on an immediate notification process.
How to Evaluate a Penetration Testing Provider
Not all penetration testing firms are equal. Here is what to look for:
- Certifications: OSCP, OSCE, OSWE, GPEN, GXPN, CREST certifications demonstrate hands-on technical skills. Be wary of firms that only hold management certifications (CISSP, CISM) without technical testing credentials.
- Methodology transparency: A reputable firm will explain their methodology clearly and tailor it to your environment. Ask for a sample report to evaluate depth and quality.
- Luxembourg experience: Local knowledge matters. Understanding CSSF requirements, Luxembourg legal frameworks, and the local threat landscape adds value.
- Insurance: Professional indemnity insurance is non-negotiable. Testing inherently carries risk, and the firm should be insured against accidental damage.
- Retesting policy: Good firms include a retest of critical and high findings as part of the engagement, or offer it at a reduced rate.
- Communication during testing: The best testers provide daily status updates and notify you immediately of critical findings, not just at the end of the engagement.
What to Do with the Report
A penetration test report is only valuable if you act on it. Here is a structured approach to remediation:
- Review with the testers. Schedule a findings walkthrough meeting. Ask questions. Understand the attack chains, not just individual vulnerabilities.
- Prioritise by business risk. Not all "critical" findings carry equal business risk. A critical vulnerability on an isolated test server is less urgent than a medium vulnerability on your payment processing system.
- Create a remediation plan with deadlines. Critical findings: 30 days. High: 60 days. Medium: 90 days. Low: next scheduled maintenance window.
- Retest after remediation. Verify that fixes are effective. Do not assume that patching a vulnerability means it is resolved; configuration errors and incomplete fixes are common.
- Track metrics over time. Compare findings across annual tests. Are the same issues recurring? Is the total number of findings decreasing? Are the findings shifting from basic issues to more sophisticated ones? This trajectory tells you whether your security programme is maturing.
Penetration Testing and Luxembourg Regulation
If you are subject to CSSF supervision, penetration testing is effectively mandatory. CSSF Circular 20/750 on ICT risk management requires financial sector entities to conduct security testing, including penetration tests. Under DORA (Digital Operational Resilience Act), financial entities will be required to conduct threat-led penetration testing (TLPT) based on the TIBER-EU framework for certain systemically important institutions.
Even outside the financial sector, NIS2 requires entities to test the effectiveness of their cybersecurity risk management measures, which implicitly includes security testing activities like penetration testing.
Penetration testing is not an expense. It is an investment in understanding your actual security posture, not the one you assumed you had.
