Penetration testing has developed a reputation problem. What should be a valuable security exercise has too often become a mere checkbox activity — something organisations do twice a year because compliance demands it, not because it genuinely improves their security posture.
At Chaleit, we've observed this pattern repeatedly and decided it's time to challenge the status quo. The problem isn't that organisations don't understand they need pen testing or that testing providers don't know how to perform technical assessments. The issue lies in how these two sides work together.
This is why we're launching our new series, Penetration Testing Decoded: Essential Knowledge, Unexpected Approaches. Through these articles, we'll unpack critical penetration testing concepts with fresh perspectives that challenge conventional practices.
For this inaugural article, we invited Kevin O'Sullivan, an experienced cyber security strategy consultant, to contribute his insights on this topic. With his background of advising organisations on security operations and strategy, Kevin offers a valuable perspective on the challenges of current pen testing models.
"There's a misaligned expectation and ineffective collaboration between the professional services firm doing the pen testing and the customer," he confirms.
That's a good place to start. Let's unpack the causes and implications of this situation.
The penetration testing commodity trap
The current model of penetration testing often falls into what we call the "commodity trap." It typically unfolds like this: an organisation issues a tender for a standard external pen test, specifying IP addresses and basic requirements. Security firms compete primarily on price, leading to a race to the bottom where the lowest bidder wins.
“There’s always a tension in service organisations — balancing the drive to win work and stay competitive with the need to deliver meaningful, high-quality outcomes."
"It’s tempting to undercut competitors to secure deals, but customers need to understand that low-cost, commodity-driven pen testing often stops at ticking a box, rather than truly addressing their security objectives,” notes Kevin.
However, the result is not optimal. Organisations receive lengthy reports filled with findings that often gather dust or overwhelm already stretched security teams.
Real security improvement becomes secondary to fulfilling contractual obligations.
Rethinking the purpose of offensive security
Perhaps we should start by reconsidering terminology.
Instead of "penetration testing," which carries connotations of isolated assessments, we might better serve organisations by talking about "offensive security" as an ongoing capability that complements defensive measures.
The most profound insight from the Chaleit team’s discussions with industry leaders is that offensive security works best when it operates as a support network for internal security teams — not as an adversary.
"Offensive security's value emerges when you're doing it in partnership with the rest of your support organisation," Kevin states. "If you're acting as a white hat coming in ethically, you're teaming up together to strengthen your cyber defences against the real bad actors."
Reversing the traditional pen testing approach
Have we been approaching penetration testing backward all along?
The standard model starts with surprise attacks to simulate real threats, often stressing already overwhelmed SOC teams. But Kevin suggests flipping this approach:
"We're approaching this backwards. Overburdening an already stressed SOC with surprise pen tests is counterproductive. Instead, collaborative engagements, where the SOC is aware and involved, allow for shared improvement against real threats. Surprise testing has its place, but timing is crucial."
This perspective shift raises a powerful question: Why use pen tests to train your SOC when real attacks happen all day, every day?
The answer lies in purpose and balance. When offensive security teams work collaboratively with defenders, they aren't just simulating threats but helping to rebalance the asymmetrical battle between defenders and threat actors. This collaboration creates a powerful security equilibrium, building detection capabilities, refining response procedures, and creating a feedback loop that improves overall security posture.
By acknowledging that defenders are already fighting real adversaries daily, offensive security becomes a force multiplier for internal teams — not just a burden. After all, it's not about scoring points against your defenders but about improving your defence against the actual adversaries.
This rebalanced relationship sets the stage for the next important evolution in penetration testing: moving from lengthy reports to active collaboration.
From lengthy reports to active collaboration
Another area that needs improvement is how findings are communicated. The traditional model produces comprehensive reports weeks after testing concludes, often spanning dozens of pages with findings that require significant triage and prioritisation.
"It becomes very complex and noisy," Kevin observes. "It's hard to prioritise. Where do you focus?" A better approach involves real-time communication throughout the testing process:
"If I've engaged a pen tester who's working through their scenarios and they say, 'We've found a critical vulnerability here,' I want them to work with my support network to close that threat immediately and then continue their test," Kevin explains.
This model creates immediate security value rather than deferred action plans that may never be fully implemented.
It also has the added advantage of sharpening incident response capabilities, helping teams build muscle memory for how they would react in a real-world attack scenario.
Co-designing cyber security value
The most promising way forward involves co-designing security testing rather than treating pen tests as isolated purchases. Testing thus becomes a strategic investment, not just a commodity.
We've seen this approach work wonders in practice. For a stock exchange-listed financial services company, Chaleit transformed what began as multiple ad-hoc security assessments into a streamlined framework that eliminated traditional reporting methods in favour of digital collaboration through the client's existing tools. The results were remarkable: a 50% reduction in remediation costs, a 30% decrease in testing costs, and retest times cut from days to minutes.
When security testing becomes a true cyber security partnership, success metrics change dramatically. Instead of counting vulnerabilities found, organisations can measure actual security improvements:
"Through offensive security collaboration, we might identify that certain detection rules aren't properly catching indicators of compromise. We tune them and immediately gain better visibility around our detection capabilities. That's what I want to see," Kevin notes.
The collaborative model results in a triangle of value between the security provider, the internal security team, and the security objectives — focusing everyone on outcomes rather than outputs.
Key takeaways
Rethink the relationship. Position offensive security as a support network for your internal teams, not as adversaries.
Reverse the testing order. Start with collaborative, announced testing to build capabilities together before moving to surprise testing.
Communicate in real time. Replace lengthy after-action reports with ongoing communication and immediate remediation of critical findings.
Co-design your programme. Work with pen testing partners to design a programme that delivers strategic value, not just technical assessments.
Focus on outcomes. Measure success by improved security capabilities, not just vulnerabilities identified.
If your organisation still treats penetration testing as a periodic checkbox exercise, it's time to consider a different approach. The most effective security programmes view offensive security as an integral part of their overall security strategy, working alongside defensive measures to create a more resilient posture.
At Chaleit, we've perfected this collaborative model, helping organisations transform security testing from a compliance obligation into a strategic advantage. Contact us to discuss how our concierge pen testing services can deliver meaningful security improvements for your organisation.