What Is Penetration Testing (Pentest)?
Why Thai Organisations Need It and How to Get Started
| A professional English translation of the Thai Pentest guide, adapted into a clear cybersecurity business tone for SecStrike audiences. |
What Is Penetration Testing?
Penetration testing, or Pentest, is a planned simulation of a cyberattack. Security experts, often called ethical hackers, test an organisation’s systems as if they were real attackers in order to find vulnerabilities before criminals discover them.
This guide covers the key points organisations should understand about penetration testing: the basic concept, types of testing, common engagement phases, relevant Thai regulatory considerations, and how to choose the right testing provider.
Pentest Explained in Plain Language
Imagine hiring a professional locksmith to test the security of your house. They try the locks, check the windows, inspect the security cameras, and report the weak points so you can fix them before a real thief arrives.
Penetration Testing does the same thing, but for an organisation’s computer systems, web applications, networks, and mobile applications.
Pentest vs Vulnerability Assessment (VA Scan)
Many people confuse Penetration Testing with Vulnerability Assessment (VA), but they are not the same service.
| Area | Vulnerability Assessment (VA) | Penetration Testing (Pentest) |
| Method | Uses automated tools to scan for vulnerabilities. | Security experts perform deeper testing with tools and manual techniques. |
| Depth | Identifies which vulnerabilities may exist. | Tests whether those vulnerabilities can actually be exploited. |
| Output | A vulnerability list with severity levels. | Evidence of real exploitation plus business impact. |
| Typical duration | 1-3 days. | 5-25 days, depending on scope. |
| Best suited for | Initial checks and regular assessments. | High-value systems and pre-go-live validation. |
In simple terms: VA tells you, “There is a door with a weak lock.” Pentest tells you, “I opened that door, reached the vault, and can show evidence of what could be accessed.”
Types of Penetration Testing
By Target
1. Web Application Penetration Testing
This tests the security of web applications against standards such as the OWASP Web Security Testing Guide (WSTG). Common test areas include:
· SQL Injection and Cross-Site Scripting (XSS).
· Broken Access Control: whether users can access data belonging to other users.
· Authentication Bypass: whether login or authentication mechanisms can be bypassed.
· Business Logic Flaws: weaknesses in business processes, such as manipulating prices in a shopping cart.
2. Mobile Application Penetration Testing
This tests iOS and Android applications using standards such as the OWASP Mobile Application Security Testing Guide (MASTG). Common test areas include:
· Insecure Data Storage: whether sensitive data is stored without adequate protection or encryption.
· Certificate Pinning: whether the application properly verifies server certificates.
· Binary Protections: how well the application resists reverse engineering.
· For banking and fintech applications, this is especially important in the context of relevant Bank of Thailand requirements.
3. Network Penetration Testing
This assesses the security of network infrastructure, both externally and internally:
· External testing: testing from the outside, as an attacker on the internet would.
· Internal testing: testing from inside the network, simulating a compromised employee account or an attacker who has already gained internal access.
· Common areas include Active Directory attack paths, Kerberoasting, lateral movement, and privilege escalation.
4. Cloud Penetration Testing
This tests the security of cloud environments such as AWS, Azure, and GCP. Typical areas include:
· IAM misconfigurations: excessive or unnecessary permissions.
· Storage exposure: public S3 buckets or blob containers.
· Container and Kubernetes risks, including container escape scenarios.
· Serverless function abuse.
5. Smart Contract Audit
This reviews the security of smart contracts on blockchain platforms. Common issues include:
· Reentrancy attacks and integer overflow.
· Access control flaws.
· Logic vulnerabilities that could lead to financial loss.
· Important for digital asset businesses operating under relevant Thai regulatory oversight.
By Level of Information Provided
| Type | Information Provided to the Testing Team | Best Suited For |
| Black Box | No internal information is provided. | Simulating an external attacker. |
| Gray Box | User accounts, API documentation, or partial information are provided. | Balancing realism with broader test coverage. |
| White Box | Source code and system architecture are provided. | The deepest and most comprehensive review. |
Recommendation: for critical systems, such as core banking platforms or payment systems, Gray Box or White Box testing is usually preferable because it provides more complete coverage within a limited testing window.
Penetration Testing Process
Phase 1: Planning & Scoping
· Define the testing objectives and scope.
· Agree Rules of Engagement: which systems may or may not be tested, and when testing is allowed.
· Identify compliance requirements such as BOT, PDPA, PCI DSS, or ISO 27001.
· Define emergency contact channels.
Output: a clear scope, agreed Rules of Engagement, and a testing plan.
Phase 2: Vulnerability Discovery & Exploitation
The testing team typically works across two parallel workstreams:
Automated scanning:
· Use specialist tools such as Burp Suite Professional, Nessus, and Nuclei.
· Identify known vulnerabilities and common misconfigurations.
Manual testing by experts:
· Test business logic flaws that automated tools may not detect.
· Test authentication and authorisation bypass scenarios.
· Test IDOR (Insecure Direct Object Reference), where changing an identifier allows access to another user’s data.
· Test against common areas such as the OWASP Top 10.
| Important: Critical findings should be escalated during testing rather than waiting until the final report, so the client can act quickly where risk is severe. |
Output: preliminary vulnerability findings, CVSS scoring where appropriate, and evidence of exploitation.
Phase 3: Remediation Consulting
A professional penetration test should not end with a PDF report. The provider should help the client understand how to fix the issues found.
· Provide code-level remediation guidance where relevant.
· Prioritise remediation based on real business risk, not CVSS score alone.
· Meet with developers or technical teams to explain how to fix the issue.
· Track remediation progress through the client’s bug tracker where applicable.
Output: a practical remediation plan with clear priorities.
Phase 4: Verification Testing
After developers fix the vulnerabilities, the testing team validates whether the fixes are effective.
· Retest to confirm each vulnerability has been fixed correctly.
· Check that the fix has not introduced new vulnerabilities.
· Confirm whether compensating controls work as expected.
· Capture before-and-after evidence.
Output: pass/fail retest results for each vulnerability.
Phase 5: Final Reporting
The final report should include:
· Executive Summary: a clear management-level summary with the overall risk posture.
· Technical Report: detailed findings, CWE/CVE mapping where applicable, exploitation steps, and screenshot evidence.
· Remediation Roadmap: short-term and long-term remediation recommendations.
Relevant Thai Legal and Regulatory Requirements
In Thailand, many organisations are required to conduct Penetration Testing under laws, regulations, or sector-specific requirements.
Bank of Thailand (BOT)
· IT Risk Management Guidelines: financial institutions are generally expected to conduct penetration testing at least annually by an independent tester.
· iPentest: D-SIB banks are required to conduct intelligence-led penetration testing under the TB-CERT framework.
· Common coverage includes web applications, mobile banking, APIs, network infrastructure, and cloud environments.
Personal Data Protection Act (PDPA)
· Section 37 requires data controllers to maintain appropriate security measures.
· Penetration testing can provide evidence that those security measures work in practice.
· Penalties may vary depending on the nature of the violation and the category of data involved.
· Data breach notification may be required within specific timeframes depending on the incident and regulatory interpretation.
Securities and Exchange Commission, Thailand (SEC Thailand)
· Digital asset business operators may be required to pass security assessments before licensing.
· Relevant work may include smart contract audit, platform penetration testing, and CRAF assessment.
Office of Insurance Commission (OIC)
· Insurance companies are expected to maintain comprehensive IT risk management.
· Penetration testing is a direct part of IT risk management.
PCI DSS
· Requirement 11.4: penetration testing is required at least annually for environments handling payment card data.
· Requirement 11.3: vulnerability scanning is required quarterly by an Approved Scanning Vendor (ASV).
ISO 27001
· A.8.8 Technical Vulnerability Management requires a process for managing technical vulnerabilities.
· Penetration testing can support ISO 27001 readiness by demonstrating practical validation of security controls.
How to Choose a Pentest Provider
What to Consider
1. Professional certifications of the testing team: look for practical certifications such as OSCP, OSWE, eWPT, and eMAPT. These credentials involve hands-on testing, not only theory.
2. Experience in your industry: a provider that has tested banking systems will understand core banking business logic better than a team with no sector experience.
3. Testing methodology: ask which standards are used, such as PTES, OWASP WSTG, or OWASP MASTG. If the provider cannot answer clearly, treat it as a warning sign.
4. Post-report support: a strong report should include remediation consulting, not just a PDF delivered without explanation.
5. Compliance experience: if the report must be submitted to the BOT, SEC Thailand, or another regulator, the provider should understand the reporting format expected by that regulator.
Warning Signs
· Unusually low pricing: if the pentest is priced like a VA scan, you may only be receiving a vulnerability scan.
· A quotation without system details: if the provider does not know what they will test, they cannot scope the work accurately.
· No sample report: a serious testing provider should be able to share a sanitised sample report with client details removed.
Frequently Asked Questions
How much does a Pentest cost?
Pricing depends on scope and complexity. The following ranges are rough starting estimates only:
| Assessment Type | Indicative Starting Range |
| Web Application | ฿150,000 – ฿1,200,000 |
| Mobile Application | ฿200,000 – ฿1,200,000 |
| Network | ฿150,000 – ฿700,000 |
| Cloud | ฿250,000 – ฿1,000,000 |
Note: the ranges above are preliminary estimates. Actual pricing depends on the scope, system complexity, and specific requirements. Discuss the scope with the provider to obtain an accurate quotation.
How long does it take?
A typical engagement takes around 1-4 weeks depending on scope, excluding remediation and retesting time.
How often should testing be performed?
· BOT: at least once per year for applicable organisations.
· PCI DSS: at least once per year and after any significant change.
· Best practice: whenever there is a major release, infrastructure change, or at least annually for critical systems.
Will a Pentest bring down the production system?
No, not when performed professionally. A penetration test should have clear Rules of Engagement that define restrictions, such as avoiding DoS testing in production and setting emergency communication channels. Experienced testers understand which techniques can be safely used in production and which should be limited to staging environments.
What is VAPT?
VAPT stands for Vulnerability Assessment and Penetration Testing. It combines VA, which scans for vulnerabilities, with Pentest, which validates whether those vulnerabilities can be exploited. This gives both broad visibility from VA and deeper validation from Pentest in one assessment.
Conclusion
Penetration testing is not merely a compliance checkbox. It is an investment in reducing real-world risk. Compared with the potential damage of a serious data breach or operational disruption, the cost of testing is often a fraction of the potential loss.
Key takeaways:
· Choose a provider with real experience, not just tools.
· Focus on remediation, not only the report. A report left unused on a desk does not protect the organisation.
· Test regularly. Systems change every day, and new vulnerabilities appear every day as well.
SecStrike provides Penetration Testing for networks, web applications, mobile applications, API endpoints, Wi-Fi networks, and AI systems.
Not sure where to start? Speak with the SecStrike team for a free consultation.