What Does a Penetration Test Actually Check? A Plain English Guide

You have been told your business needs a penetration test. Maybe your insurance company asked for one, or a client included it in a supplier questionnaire, or your IT provider recommended it. You agreed, because it sounds important. But you are not entirely sure what it actually involves. What exactly does a pentest check? What will the report tell you? And do you need a computer science degree to understand the results? This guide answers all of those questions in plain, non-technical language. No jargon, no acronyms without explanations, and no assumptions about your technical background.

The Big Picture: What a Pentest Is Trying to Do

A penetration test simulates a real cyberattack against your systems. The goal is to find out whether an attacker could break in, what they could access if they did, and how much damage they could cause. Think of it as a fire drill for your digital security. You want to discover the weaknesses before someone with bad intentions does.

The test looks at everything that is connected to the internet and could potentially be reached by an outsider. That typically means your website, your network, your email configuration, your cloud services, and any apps or integrations you use. Let us walk through each one.

Your Website

Your website is usually the most visible part of your business online, and it is often the first thing a pentest examines. The test checks several things that matter to you as a business owner.

Can someone access areas they should not? Most websites have an admin panel, a content management system, or a back-end dashboard. The pentest checks whether an outsider could find and access these areas. Sometimes admin pages are left exposed at predictable addresses (like yoursite.com/admin), making them easy targets.

Can someone steal customer data? If your website collects any information from visitors, whether that is contact details, payment information, or account credentials, the pentest checks whether that data can be intercepted or extracted. This includes testing whether forms can be manipulated and whether data is properly encrypted when it travels between the visitor's browser and your server.

Can someone upload malicious files? If your website allows any kind of file upload (profile pictures, documents, attachments), the test checks whether those upload features can be abused to place harmful code on your server.

Can someone trick your login page? Attackers often try techniques like “brute forcing” (trying thousands of password combinations very quickly) or exploiting flaws in the login process to gain access to user accounts. The pentest checks whether your login system is resilient against these attacks.

Your Network

Your network is the collection of devices, connections, and services that make your business run. The pentest looks at your network from the outside, the way an attacker on the internet would see it.

Are any doors left open that should not be? In networking terms, “doors” are called ports. Every service that runs on your network (email, web, file sharing, remote access) uses a specific port. The pentest scans your network to find which ports are open and whether any of them are exposed unnecessarily. An open port that nobody is using is like leaving a side entrance to your building unlocked.

Are there services running that you do not know about? It is surprisingly common for businesses to have old or forgotten services still running on their network. An old file server, a test environment that was never shut down, or a remote access tool that was installed for a one-off project and forgotten. These forgotten services are often unpatched and unmonitored, making them easy targets.

Could someone on your WiFi access internal systems? If your business has a WiFi network, the pentest may check whether someone who connects to it (a visitor, a neighbouring office, or someone sitting in the car park) could reach systems that should only be accessible to staff.

Your Email

Email might not seem like something that needs “testing,” but it is one of the most common attack vectors for businesses of all sizes. The pentest checks your email configuration to answer two important questions.

Can someone send emails pretending to be you? This is called email spoofing, and it is used in phishing attacks constantly. An attacker sends an email that looks like it comes from your company (using your domain name) to trick your clients, suppliers, or employees into clicking a link or sending money. Your email system has settings (called SPF, DKIM, and DMARC records) that are designed to prevent this. The pentest checks whether those settings are properly configured.

Are your email security settings right? Beyond spoofing prevention, the test checks whether your email is using encryption when sending messages, whether your mail server is configured to resist common attacks, and whether there are any misconfigurations that could leak information about your organisation.

Your Cloud Services

If your business uses cloud platforms like Amazon Web Services (AWS), Microsoft Azure, or Google Cloud, the pentest checks whether those services are configured securely. Cloud platforms are powerful, but they come with hundreds of settings, and getting even one wrong can expose your data.

Are your settings exposing data? One of the most common cloud security issues is misconfigured storage. Businesses accidentally leave file storage areas (called “buckets” in AWS terms) accessible to anyone on the internet. The pentest checks whether any of your cloud storage, databases, or services are publicly accessible when they should be private.

Are there databases accessible from the internet? Databases should almost never be directly reachable from the public internet. But misconfigurations, especially in cloud environments, sometimes leave them exposed. The pentest identifies any databases or internal services that can be reached from outside your network.

Your APIs and Integrations

If your business has a mobile app, or if your systems connect to other services through integrations, those connections are tested too. An API (application programming interface) is the behind-the-scenes channel that lets different software systems talk to each other. For example, when your website connects to a payment processor, or when your mobile app pulls data from your server, they are using APIs.

The pentest checks whether someone could abuse these connections to access data they should not see, perform actions they should not be able to perform, or extract information by sending unexpected requests. API vulnerabilities are increasingly common because many businesses add integrations quickly without thoroughly testing the security of each connection.

What the Report Looks Like

After the test is complete, you receive a report. A good pentest report is not a wall of incomprehensible code. It is structured so that non-technical people can understand and act on it.

Each finding in the report includes four things. First, a severity rating: critical, high, medium, or low. This tells you how urgently it needs to be addressed. Critical findings mean an attacker could cause serious damage right now. Low findings are minor issues that should be fixed but are not immediately dangerous. Second, a plain English description of the problem. Not “CVE-2024-12345 detected,” but “your admin login page does not limit failed password attempts, which means an attacker could try thousands of passwords until they guess correctly.” Third, an explanation of why it matters and what an attacker could do with this weakness. Fourth, step-by-step instructions for fixing the issue.

You do not need to understand the technical details yourself. The report is designed to be handed to whoever manages your technology. Your web developer, your IT provider, or your internal IT team can read the fix instructions and implement them directly. Your job as the business owner is to make sure the critical and high-severity items get addressed promptly.

How Long Does It Take?

With traditional penetration testing, the process from initial enquiry to receiving a report could take anywhere from two to six weeks. That includes scoping calls, scheduling, the testing window itself, and the time it takes the consultant to write up findings.

AI-powered pentesting is dramatically faster. With Revelion, you can start a test in minutes and receive results within hours. There is no scheduling delay, no waiting for a consultant to become available, and no weeks-long report writing process. The AI conducts the tests and generates the report automatically. If you need a pentest report for a compliance deadline next week, that is entirely achievable.

What Does It Cost?

Traditional penetration testing typically costs between £10,000 and £30,000 per engagement. That pricing reflects the cost of employing highly skilled security consultants, and it puts regular testing out of reach for most small and medium-sized businesses.

AI pentesting changes the cost structure entirely. With Revelion, individual tests start from £10. If you want ongoing, continuous monitoring of your systems, plans start from £99 per month. This makes it practical to test regularly, not just once a year when the auditor asks.

Ready to See What a Pentest Finds?

Now you know what a penetration test examines and what to expect from the report. The next step is running one. You might be surprised by what it finds, and you will certainly be better off knowing about vulnerabilities before an attacker discovers them. For more on why security testing matters for businesses of every size, read Do Small Businesses Need Penetration Testing? Or learn more about how autonomous AI pentesting works.

Start free with 20,000 credits, no card required. Your first results could be ready by this afternoon.