Answers to your questions

Quickly find answers to your questions about cybersecurity, CVE Find, standards, vulnerabilities and Bexxo services in our comprehensive FAQ.

FAQ : #Pentest

Can a pentest disrupt production?

Yes, a penetration test can potentially disrupt production, but this depends heavily on the methodology used, the level of aggressiveness authorized, and the maturity of the infrastructure being tested. For example, exploiting certain vulnerabilities can cause service restarts, access blockages, or performance degradation.

That's why it's essential to define a clear framework before any test, including authorized time slots, systems to exclude (or duplicate in a test environment), and backup measures. Professional pentesters apply non-destructive techniques, but close communication with the IT team remains essential to anticipate and manage potential impacts.

Can a pentest identify a zero-day vulnerability?

A pentest can sometimes reveal a zero-day vulnerability, but it is not guaranteed. Pentests primarily rely on known vulnerabilities (CVEs, misconfigurations, risky practices), but it is possible that a manual test, a particular attack logic, or intuition may lead to the discovery of a previously unknown vulnerability.

However, the discovery of zero-days during a pentest remains rare and depends on the depth of the analysis, the experience of the testers, and the complexity of the system being tested. For this reason, some very advanced pentests include fuzzing or code audit phases specifically aimed at finding zero-days, particularly in high-stakes contexts (defense sector, finance, critical infrastructures).

What is a penetration test (pentest)?

A penetration test, or pentest, is a security assessment that involves simulating a real attack on a computer system, network, or application in order to identify exploitable vulnerabilities. The goal is to detect weaknesses before an attacker discovers them, and to provide concrete recommendations to strengthen security.

Unlike purely documentary audits, a pentest relies on offensive techniques similar to those used by hackers. It may include exploiting software flaws, compromising accounts, or traversing firewalls. It is often performed in addition to an automated scan to assess not only the presence of vulnerabilities, but also their actual exploitability in the target context.

What is the difference between a black box, gray box, and white box pentest?

The main difference between black box, gray box, and white box testing lies in the level of information provided to the tester before starting the simulated attack.

  • In black box, the attacker has no prior knowledge of the system. They act as an external hacker and attempt to access resources without any assistance. This type of test is realistic for simulating an external attack, but it is often limited to what can be guessed or discovered from the outside.
  • In gray box, the tester has some technical information or partial access (such as a user account). This reflects a scenario where the attacker has already infiltrated part of the system or possesses internal knowledge, such as a former employee.
  • In white box, all information is provided: source code, technical documentation, administrator access. This type of test provides a complete view and allows for the identification of deep vulnerabilities, often invisible from the outside.

Each approach has its advantages, and the choice depends on the objectives of the test and the level of risk to be covered.

What is the difference between a pentest and a vulnerability scan?

A vulnerability scan is an automated analysis performed by a tool that examines a system or application for known vulnerabilities, typically by comparing software versions or testing configurations. It is fast and inexpensive, but often produces raw or incomplete results, with false positives.

A pentest, on the other hand, goes beyond detection: it seeks to actually exploit vulnerabilities to demonstrate their concrete impact. It is a manual and methodical process that validates detected vulnerabilities, identifies new ones, and provides realistic attack scenarios. The pentest is therefore much more thorough and contextual, but requires time, expertise, and planning.