Select regional store:

Penetration Testing Levels

Every organization has something worth stealing, whether it’s personal information, payment card data, medical records, or intellectual property. Cyber criminals know this and usually cast a broad net with their attacks, looking to exploit any weaknesses.

Small and medium-sized enterprises (SMEs) are especially vulnerable to cyber attacks. This is partly because many SMEs don’t consider themselves targets and so don’t do enough to protect themselves, but even those that are aware of the risks often don’t have sufficient resources to defend themselves.

Because so few organizations have thorough cybersecurity measures in place, a penetration test will be one of the first significant steps they take to becoming secure. Performing a test might seem undesirable. However, investing in regular penetration tests is a much better prospect than the alternative. 

Secure your organisation with penetration testing

Want to know more about our level 1 packed solutions, or our level 2 penetration testing packages? Get in touch with one of our penetration testing experts today.

Speak to an expert

Penetration testing levels

At IT Governance, we offer two levels of penetration test to meet your specific budget and technical requirements:


Level 1 penetration test

For the majority of organizations, a level 1 penetration test will be appropriate to help mitigate the threat of the opportunist attacker who is looking for easy targets by exploiting known vulnerabilities.

This test involves manual assessments with automated scans to assess the true extent of the vulnerabilities affecting your applications, systems, or networks. By combining a level 1 test with regular vulnerability scanning, you can prioritise the resolution of identified issues and establish a comprehensive assessment of your risks from external threats.

A level 1 penetration test requires minimal scoping and can be performed quickly and cost effectively, providing a good overview of your security posture if performed at regular intervals.


Level 2 penetration test

A level 2 penetration test is appropriate for organizations that may be specifically targeted by attackers, perhaps because of the information they hold or the nature of their business.

This level of test involves a painstakingly detailed process of identifying security holes and vulnerabilities in your hardware (including printers, fax machines, and workstations) and software, systems, or web applications and then trying to exploit them.

The extent of a level 2 penetration test means it takes time to perform and is usually only recommended to clients that require a complex cyber attack simulation.

Level 1 and level 2 penetration testing comparison chart 


Level 1

Level 2


To determine the potential vulnerabilities in target systems.

To determine whether your business is vulnerable to a hacker and whether you could detect an attack.


Identification and analysis of the vulnerabilities in your networks, systems, websites, web applications, or wireless networks.

Tests involve looking at vulnerabilities and trying to gain access to critical resources.

Target audience

Companies that want to go beyond ‘light-touch’ vulnerability scans or assess their cybersecurity baseline.

Companies that have a mature security program and want a full test of their network.

Skill level required



Emulates a real-world attack?




Agreed at outset.

Agreed at outset.

Fixed-price package?



Scoping call with a consultant



Testing methodology

Aligned with the OWASP.

Aligned with the OWASP.

Vulnerability scanning



Can be performed on-site?



Can be performed remotely?



Identification of false positives



Exploitation of vulnerabilities



Detailed report



Manual grading of risk and impact



An approach for determining your testing requirements

You should consider the following before embarking on any penetration test or vulnerability assessment project:

  1. Evaluate drivers for penetration tests

    Determine your goals based on an evaluation of relevant criteria, such as the impact of serious incidents, increased threat levels, or significant changes to business or IT processes.

    If your goal is to become PCI compliant, or to protect other specific data, you will need to work out the scope of that data environment and ensure it is segmented. If, on the other hand, you are responding to a breach at another or similar organization, try to understand what form the attack took and the underlying motivation.

    By understanding the motives and techniques of attackers, you can focus on building effective defences.

  2. Identify target environments

    Your penetration testing program should identify the target environments that need to be penetration tested.

    Ask yourself what your most valuable assets are. It may be your intellectual property, important business applications, key IT infrastructure, confidential data, or simply your reputation.

    Understanding what you need to protect – its value to you, its value to an attacker, and the impact of a loss in terms of operational, financial and reputational damage – will help you to determine an appropriate level of expenditure on protection.

  3. Prioritize your efforts

    Now you are ready to build a penetration testing program that will prioritize protecting your most valuable assets from your biggest threats. By combining frequent low-level vulnerability scanning with regular level 1 penetration tests of your estate and level 2 testing of your critical systems and assets, you can maximize the value of testing in the most efficient way.

This website uses cookies. View our cookie policy