FAQs — ECHO Pentest

Frequently Asked Questions

It’s completely normal to have questions before committing to a penetration test. Below are some of the most common ones I hear from small and mid-size organisations.

What is a penetration test, exactly?

A penetration test is a controlled, authorised security assessment where I simulate how an attacker might try to compromise your systems, applications or users — within a clearly defined scope. The goal is to identify and demonstrate real weaknesses so you can fix them before someone malicious does.

Will testing disrupt my systems?

The aim is always to avoid disruption. Many tests can be performed against staging environments, and when production testing is required, the approach is carefully chosen to minimise risk. Any high-risk activities are agreed in advance and, where possible, scheduled for low-usage windows.

How long does a typical engagement take?

It depends on the size and complexity of the scope. A focused test of a smaller web application might take around 3–5 days of testing plus reporting time, whereas broader network or scenario-based assessments can take longer. I’ll always give you a realistic estimate during scoping.

Do you need full access to everything?

No. Scope is agreed based on your needs and risk tolerance. For example, I might be authorised to test a specific web application, a defined range of internal IP addresses, or a subset of cloud resources. The point is to be realistic and focused, not to “break everything”.

What do I get at the end of the test?

You receive a structured report including:

An executive summary in plain language
Technical findings with evidence and impact
Risk ratings and prioritisation
Clear remediation guidance and next steps

Where useful, I’m also happy to walk through the results with you and your team.

Are you going to “hack” staff without telling them?

No. Even for phishing or social engineering work, everything is agreed with management first, and the goal is to build awareness and improve processes — not to publicly shame individual staff. Any simulated attacks are controlled, time-bound and documented.

Can you help after the test if we need support?

Yes. I can assist with clarifying findings, prioritising remediation, and retesting specific issues once fixes are in place. The level of follow-up support can be agreed as part of your engagement.

Do you sign NDAs and legal agreements?

Absolutely. Every engagement includes appropriate documentation such as a Scope of Work, Rules of Engagement, Authorization to Test, and — where required — an NDA to protect your information.

How do we get started?

You can either:

Use the Book a Pentest form to provide initial details, or
Send a message via the Contact page if you’d prefer to ask a few questions first.