What Can Go Wrong on an External Penetration Test?
When organizations bring in a third party to perform an external penetration test, the expectation is a smooth, well-orchestrated engagement that yields actionable results. And in most cases—around 95% of the time—that’s exactly what happens. However, it’s important to recognize that penetration testing is not without risk or complexity, and things can go wrong on an external penetration test. Whether it’s technical misconfigurations, scope confusion, provider inexperience, or unintended service disruption, things can go sideways.
The goal of this blog is to pull back the curtain and walk you through the less-discussed side of penetration testing—the parts that can (and sometimes do) go wrong. Understanding these pitfalls not only prepares you for the occasional bump in the road but also helps ensure that when issues arise, they don’t turn into full-blown incidents. If you haven’t already, check out our complete guide to external penetration tests for information on costs, answers to the most common questions, etc.
Things that can go wrong on an External Penetration Test
System or Network Outage
One of the more disruptive risks during an external penetration test is a system or network outage. This could stem from a misconfiguration, an outdated or poorly maintained perimeter server, an unpatched firewall, or a particularly dangerous vulnerability that reacts unpredictably when probed.
While experienced penetration testers do everything possible to avoid disruptions, the reality is that active testing—especially using a black-box approach—carries residual risk. Actively exploiting vulnerabilities can occasionally trigger a crash or service interruption. Despite the risk, you want a tester to do this during controlled testing, as we explain what makes a penetration test important here!
What you can do: If you know of any legacy, fragile, or business-critical systems exposed to the Internet, flag them during the project kick-off call—this is your opportunity to clarify the Rules of Engagement. If downtime on a specific system would significantly impact your operations, consider asking the testing team to schedule probing of that system during off-hours or to exclude it from active exploitation and limit testing to non-intrusive methods.
Data Corruption
This issue can occur due to failures or certain kinds of vulnerabilities. For instance, if there is a SQL Injection issue, placing a single quote into a field could modify or drop data in your database. You’d want to know about this issue, but only after your rage subsided from potentially having to restore portions of your production database. Again, in anything but extreme scenarios, experienced penetration testers can avoid database modifications, but the potential is there.
What you can do: Prior to testing beginning, it’s a great idea to double check your organizational back-ups and restoration procedures. I mean, I’m sure you’re doing that regularly anyway, right?
You’ve Already Been Compromised
There’s a great saying in the security community that there are two types of organizations out there: those that have been breached and those that don’t know they have been breached. While it is not common, we have discovered that an organization’s assets have already been compromised when performing testing. I wouldn’t necessarily classify this as a potential problem, but it’s important to understand that it does happen. Should this be the case, we will immediately stop testing and notify our contact about what we’ve found. We’ll help you in any way we can to resolve the issue, and once you’ve given us the ok, we’ll proceed.
What you can do: It’s a great idea to have a continuous monitoring process that looks at systems, event logs, and alerts on a regular basis to identify potential breaches and security incidents as soon as possible.
Despite the risk of something going wrong on an external penetration test, it’s not as bad as it sounds
Yes, things can go wrong—but they rarely do. With proper planning, clear communication, and strong security hygiene, most external penetration tests go off without a hitch. Our goal as penetration testers is to help you find and fix issues before they become business-impacting problems, not to create them. And if something does break during testing, that’s a sign it was already vulnerable and could’ve failed at any time due to its exposure on the open Internet.
Ultimately, a penetration test is one of the best investments you can make in your organization’s security posture. It’s about surfacing risks in a controlled way—before the wrong actor finds them. To learn more check out our guide or contact us today.