All articles
#pentest#penetration-testing#security#owasp#beginner

What is a pentest? Complete guide for Swedish companies 2026

Alexander Norman

A pentest (penetration test) is a controlled simulation of a cyber attack against your own systems. We cover what it is, how it differs from vulnerability scanning, what types exist, and when you need each variant.

Definition: penetration test = simulated attack with permission

A penetration test (pentest) is a security assessment where an experienced tester, with explicit written permission from the owner, attempts to break into an IT system. The goal is to find vulnerabilities before a real attacker does.

The difference from an attacker: scope, legal mandate, and a report describing findings and fixes.

Pentest vs vulnerability scanning, not the same thing

Aspect Vulnerability scanning Pentest
Method Automated, tools compare against CVE database Manual + automated, creativity counts
Depth Known CVE patterns Business logic, attack chains, creative bypasses
Time Minutes Days to weeks
Price From ~250 SEK/month 15,000–500,000+ SEK per engagement
False positives High rate (10-40%) Low (manually verified)
Business logic flaws Doesn't find Finds
Auth bypass Only simple cases Complex chains
Frequency Daily Annually + after major changes

In practice: good security posture has both. Vulnerability scanning catches the 80% of vulnerabilities that are known CVEs. Pentest catches the remaining 20% specific to your application.

What types of pentest exist?

1. Web application pentest

Test of one or more web applications. SQL injection, XSS, CSRF, authentication flaws, business logic errors. Most common pentest type in Sweden.

2. Network pentest (external)

Test against your external infrastructure. IP addresses, firewalls, exposed services. Often combined with port scanning and vulnerability exploitation.

3. Network pentest (internal)

Tests as if the attacker is already inside the network. Lateral movement, privilege escalation, AD attacks. Often combined with an Assumed Breach model.

4. Mobile application pentest

Android and iOS apps. Tests local data storage, API security, certificate pinning, jailbreak detection, reverse engineering protections.

5. API pentest

Specifically for REST/GraphQL/gRPC APIs. OWASP API Security Top 10: BOLA, BFLA, mass assignment, rate limiting, authn/authz flaws.

6. Cloud pentest (AWS, Azure, GCP)

Misconfigurations in cloud environments. IAM policy, exposed S3 buckets, Azure Storage, K8s misconfigurations.

7. Red Team

Not a pentest in the strict sense, a goal-based engagement where the team tries to achieve a business objective (e.g., "read the CFO's email") by any means: phishing, physical intrusion, social engineering, technical attacks. Weeks to months.

8. Social engineering / phishing test

Test of people and processes. Phishing simulations, vishing (voice phishing), USB drops, physical intrusion. Measures both technology (email filters) and behavior (click rate).

9. OT/ICS/SCADA pentest

Industrial control systems. High caution, a poorly executed test can shut down factories. Requires specialized competence and coordination with operations.

Black box, grey box, white box

Three levels of information:

  • Black box, the tester gets nothing. Must map the environment themselves. Most realistic but most expensive since a lot of time goes to mapping.
  • Grey box, the tester gets limited information (one user account, scope document). Most common.
  • White box, the tester gets full source code + architecture documents. Most effective per dollar; finds more bugs deeper.

White box is sometimes considered "cheating" but usually gives better value, the tester can focus on finding vulnerabilities instead of guessing how the application works.

How does a pentest work?

Typically 5 phases:

1. Scope & planning

What's to be tested, what's not, what times, which IP address attacks come from, contact paths for problems. Written scope document signed before work begins.

2. Reconnaissance

Information about the target. Subdomains, IP addresses, tech stack, employees (for social engineering), public data. Mostly passive.

3. Vulnerability identification

Automated tools + manual investigation find potential vulnerabilities. List of "test-worthy" points.

4. Exploitation

Attempts to exploit vulnerabilities. Evidence (PoC, screenshots, exfiltrated data). Stops at known damage, the tester doesn't take down production.

5. Report + remediation

Written report: executive summary, detailed findings with CVSS scores, evidence, fix proposals, prioritization. Retest after fixes often included.

How often should you do a pentest?

Compliance minimum: annually (NIS2, ISO 27001, PCI DSS, many contract requirements).

Practically recommended:

  • Continuous automated scanning daily
  • Manual pentest annually + after major changes (new architecture, new API, M&A)
  • Red Team engagement every 2-3 years for mature organizations

The reason is simple: an annual pentest leaves 360 days of exposure. Automated daily scanning catches new CVEs the same day they're published.

What does a pentest cost?

In Sweden 2026:

  • Automated continuous scanning: from 249 SEK/month (pentesting.se)
  • Web application pentest: 15,000 – 150,000 SEK (depending on size + depth)
  • Network pentest: 25,000 – 200,000 SEK
  • Red Team: 200,000 – 1,000,000 SEK
  • AI app pentest (Vibecode): from 5,000 SEK

See the pentest price guide for deeper breakdown.

What makes a good pentester?

Technical skills (OSCP, GPEN, CRTP, etc.) are foundational. What separates a good pentester from a good report-generator:

  1. Ability to understand business context, which vulnerabilities matter for this specific business
  2. Clear written communication, the report must be readable for management, not just technicians
  3. Creativity, tools catch what tools find. Pentesters find what tools miss.
  4. Experience with attack chains, individual vulnerabilities are often info-level; chains are critical.

Do you need a pentest right now?

You need a pentest if any of this applies:

  • You're covered by NIS2 (see our NIS2 guide)
  • You have ISO 27001 certification or are aiming for one
  • You take card payments (PCI DSS)
  • You have customers or suppliers requiring it in contracts
  • You handle personal data, financial data, health data, or IP
  • You've launched a new application in the past year
  • You haven't done a pentest in the past 12 months

Pentesting.se combines automated daily scanning with the option to add manual artisanal pentest by Swedish security consultants. See our pentest services or run a free security healthcheck.

See also in the glossary: ISO 27001, NIS2, CVE, CVSS, XSS, CSRF, pentest, Red Team, False positives.

Want to see what your external attack surface actually looks like? Free health check, no credit card, two minutes.

More articlesRun health check