This page answers common questions about how penetration testing is executed, how risks are handled during testing, and what customers can expect throughout the engagement.

Penetration Testing Engagement FAQs

Contact Us
Will penetration testing disrupt our operations?

No. Penetration testing is non-destructive by default.

We do not perform denial-of-service, stress testing, or actions intended to impact availability unless this is explicitly agreed in writing. Testing windows, environments, and constraints are confirmed before testing begins to minimize operational risk.

What happens if critical vulnerabilities are found?

If a critical or high-risk vulnerability is identified:

  • We notify the agreed point of contact immediately

  • We provide a clear explanation of impact and risk

  • We coordinate next steps before proceeding further

We do not wait until the final report to escalate critical findings.

What level of exploitation is performed?

Vulnerabilities are validated to the extent necessary to confirm real-world impact.

The depth of exploitation is defined in the agreed scope and rules of engagement. Destructive actions, data exfiltration, or privilege abuse beyond validation are not performed unless explicitly authorized.

How is scope controlled during testing?

Testing is strictly limited to the approved scope defined before the engagement starts.

Out-of-scope assets, third-party systems, or environments are not tested. If potential scope ambiguities arise during testing, they are clarified before proceeding.

How do you communicate during the engagement?

Before testing starts, we agree on:

  • Primary and emergency points of contact

  • Escalation paths for critical findings

  • Preferred communication channels

During testing:

  • Critical issues are escalated immediately

  • Non-critical findings are documented for reporting

After testing:

  • A final report is delivered

  • A findings presentation meeting is conducted

Do you provide remediation or retesting support?

Yes.

We provide clarification and remediation guidance after report delivery. Validation or retesting can be performed as a separate activity if required and agreed.

Does your Pentest satisfy Compliance Requirements?

A question we hear often is can we meet compliance requirements. While this certainly requires a deeper discussion, our testing is in compliance with multiple pentesting compliance frameworks including ISO27001, PCI, HIPAA, SOC2, and others.

What penetration test documentation or reporting should I expect to receive when the test is complete? How are the findings documented?

Some of the key components to our penetration testing report, include but are not limited to:

  • Scope
  • Control Framework  (ie: OWASP, NIST, PCI, PTES, OSSTMM)
  • Timeline
  • Executive Summary
  • Technical Summary
  • Report Summary Graphs
  • Summary of Findings
  • Findings (Description, Risk explanation, Recommendations, Evidence, References, CVSS, Risk Rating Calculation)
  • Methodology and Approach
  • Risk Rating Factors
  • Tools used

One of our core goals as an organization is education. We work to make sure your team has a full understanding of your Red Teaming or penetration testing deliverables before the end of our engagement and are available thereafter to conduct follow-up retest at no additional cost.

Company

About us

Blog

Careers

Product

Seclinq platform

Services

Penetration testing

Security Advisory Services

Connect

Copyright © 2026 Seclinq. All Rights Reserved.