Penetration testing has become a standard practice for most organisations. Companies commission pen tests, receive reports, and tick the compliance box. Yet despite these efforts, organisations continue to suffer breaches.
The disconnect is clear: traditional pen testing isn't delivering on its promise. At Chaleit, we've examined why this happens and how to fix it. Recently, we spoke with Jacob Thampi, VP and Divisional Information Security Officer at QBE North America, to get his perspective on what effective penetration testing should look like.
Real-world impact
Recent high-profile breaches at major retailers like Marks and Spencer, Co-op, and Harrods remind us that security breaches can happen to any organisation. This raises important questions about how effectively standard security testing identifies and addresses actual risks.
Poor pen testing can have severe consequences.
“In the event of a security incident, the fact that we’ve performed pen tests will lead to questions like: Wasn’t the purpose of those tests to prevent exactly this kind of thing? Why didn’t they?” Jacob points out.
This underscores the importance of changing the way organisations approach security assessments. When pen testing is treated as a meaningful security activity rather than a compliance exercise, it becomes part of a broader security programme that can genuinely improve an organisation's security posture.
Context makes all the difference
Jacob talks about "penetration testing with context" — a concept that goes well beyond the typical service delivery model.
"We need to deliver pen testing with context," he emphasised. "While compliance is a major driver, which I see as a positive, simply providing the output without that context isn't sufficient."
Pen testing should just be about identifying vulnerabilities. Instead, it should be about understanding what those vulnerabilities mean within the specific context of an organisation's systems, controls, and business priorities.
The reality is that many pen testing engagements fall short by simply regurgitating automated scan results. Jacob shared a personal experience that highlights this problem: "I remember early on running a security assessment tool and receiving a third-party report that was an exact copy of the tool's output."
Unfortunately, this practice continues today. Some vendors attempt to disguise it by rewriting vulnerability descriptions, perhaps using AI-generated content, but the value remains minimal if the context is missing.
Reaffirmation vs. discovery
Jacob offers an insightful perspective on the purpose of pen testing. Rather than viewing these assessments as purely discovery exercises, he suggests they should serve to "reaffirm" what an organisation already knows about its security posture.
He pointed out that it's more than just running tests. It's about developing a deeper understanding of your environment through a new lens.
Organisations often already conduct vulnerability assessments and have a sense of their weak points. What they need isn't always new information, but confirmation from a different angle that can validate or challenge their existing understanding.
Focus on trust, not transaction
What's the key to conducting more meaningful pen tests? Jacob advocates for a shift from transactional service delivery to relationship-based security partnerships.
As he puts it:
"The one big word we need to remind everybody of is trust. If you don't talk in a way that gains somebody's trust, you will set yourself up for failure with that relationship in the future."
This means moving beyond the ego-driven "prove yourself" mentality that often characterises pen testing engagements. Instead, testers and clients should work collaboratively, recognising that both parties bring valuable perspectives to the table.
Jacob reflected that the most effective collaborators are those who involve you in the process. He acknowledged the universal constraints faced by companies, stating, "We understand that when I talk with certain companies, they say you're limited in time and money, and those are ultimately what everybody's dealing with."
Mission alignment
What does this collaborative approach look like in practice? We've come to think of it as "mission alignment" — the idea that both the security provider and the client must be working toward the same security goals with mutual accountability.
This alignment includes several key elements:
Understanding the client's unique environment — including their systems, controls, and business priorities.
Holding each other accountable — creating clear expectations and following through.
Moving from testing to understanding — seeking to comprehend the client's security posture rather than simply finding flaws.
Discussing controls and risk meaningfully — examining both inherent and residual risk.
Jacob concludes:
"My conviction is that all our service providers play a vital role in our success. When we approach it this way, it ideally results in two key achievements: they meet our service expectations, and they cultivate the trust that paves the way for continued partnerships."
Key takeaways
Context is essential — Penetration testing should be conducted with a deep understanding of the client's specific environment and priorities.
Reaffirm and enhance — Good pen testing validates what you already know while providing new perspectives.
Build trust-based cyber security partnerships — Move beyond transactional relationships to create collaborative security partnerships.
Align on mission — Both providers and clients should be working toward the same security goals with mutual accountability.
Focus on improvement — The ultimate goal should be understanding what we need to improve, rather than simply identifying vulnerabilities.
At Chaleit, we've reimagined the entire penetration testing process based on these principles. We start testing quickly, create smart scopes that match your actual needs, deliver useful reports with actionable insights, and integrate with your existing workflows.
Most importantly, we believe in being partners, not vendors — providing ongoing support without extra charges or complicated processes.
If you're ready to experience penetration testing that delivers real value rather than just ticking boxes, we'd love to have a conversation about your security challenges. Let's start building security that works. Book a security health check →
