Stay updated by subscribing to our newsletter.
© 2025 Leave a Mark Consulting Group ApS
CVR: 39411458
The focus on IT security has increased significantly in recent years. Penetration testing (pentest) and vulnerability scanning are among the most relevant measures to help protect a company’s infrastructure against cyber threats.
A penetration test, often referred to as a pentest, is an authorized, simulated cyberattack that uses specific testing methodologies to identify vulnerabilities in a system and assess its security posture. Pentests act as a security checkpoint — performed either before deployment or as part of an ongoing risk management strategy — to ensure that systems are properly protected.
Penetration testing plays a central role in new regulatory frameworks aimed at enhancing cybersecurity, particularly in high-risk industries and critical sectors. These regulations are designed to ensure that organizations actively identify and mitigate vulnerabilities in their IT systems.
Penetration testing is a mandatory requirement under the DORA regulation (Digital Operational Resilience Act), which specifically applies to financial institutions. According to DORA, financial entities must perform at least one penetration test per year to validate that their digital infrastructure can withstand potential cyberattacks. This annual testing requirement is intended to identify and resolve security weaknesses before they can be exploited by threat actors — thereby strengthening the overall resilience of the financial sector.
A vulnerability scan is an assessment of your organization’s IT infrastructure and applications aimed at identifying potential weaknesses and security vulnerabilities. These vulnerabilities can be exploited by malicious actors — such as hackers — and may result in data loss, system downtime, or financial damage. The purpose of a vulnerability scan is to detect and prioritize such weaknesses so they can be remediated before being exploited.
Due to the risk posed by emerging cyber threats, regular vulnerability scanning is either required or strongly recommended in many security frameworks — including the CIS Controls (CIS18) by the Center for Internet Security. CIS18 specifically advises that organizations perform vulnerability scans at least once per month. This frequency helps ensure that newly discovered vulnerabilities are identified and addressed in a timely manner — before they can be used in attacks. Monthly scans support a continuous assessment of security posture and contribute to a proactive cybersecurity strategy, reducing the likelihood of data breaches and system outages.
One of the requirements of the regulation is to perform baseline testing of digital operational resilience using Threat-Led Penetration Tests (TLPT). In a TLPT, the organization's infrastructure is evaluated by simulating realistic cyberattacks — with the aim of identifying and exploiting vulnerabilities. The purpose of TLPT is to replicate the tactics of a potential hacker or malicious actor in order to reveal weaknesses and uncover areas where there is a risk of unauthorized access or data loss.
We have prior experience conducting similar penetration tests across various sectors and can tailor the test approach to meet your organization's needs and regulatory obligations.
Would you like to learn more about the DORA implementation process?
A penetration test provides an in-depth assessment of a system’s security, while a vulnerability scan identifies known weaknesses. Both are recommended on an annual basis, and involving external experts increases the effectiveness of detecting threats.
A vulnerability scan is an automated process used to identify known weaknesses in a company’s IT infrastructure and applications. It is broad in scope and designed to detect as many potential vulnerabilities as possible, typically offering a surface-level view of security posture.
In contrast, a penetration test (pentest) is a targeted and in-depth simulation of an attack performed by cybersecurity experts. It not only identifies vulnerabilities but attempts to exploit them, providing insights into how an attacker might breach the system and how the infrastructure holds up under real-world attack scenarios.
The frequency depends on your organization's risk profile, security requirements, and industry regulations.
Vulnerability scans should generally be conducted at least once per month, as they are automated and relatively easy to run. This ensures timely detection of newly discovered threats.
Penetration tests should be performed at least once a year, or more frequently if there are significant changes to the IT environment (e.g. new systems, major updates, or infrastructure changes). In high-risk sectors such as finance, annual pentesting is often a regulatory requirement (e.g. under the DORA framework) to ensure operational resilience against cyberattacks.
External cybersecurity consultants offer an objective, impartial assessment of your organization’s security posture. They bring specialized knowledge, stay updated on the latest threats and vulnerabilities, and often use advanced scanning tools that internal teams may lack access to. This increases the likelihood of identifying hidden security gaps that internal teams might overlook.
Vulnerability Scanning typically begins with a planning phase to define the scope — identifying the systems and networks to be assessed. Automated tools are then used to scan for known issues such as outdated software, missing security patches, misconfigurations, and other weaknesses. The results are analyzed, and a report is produced detailing the vulnerabilities found, their severity, and recommendations for remediation.
Penetration tests, on the other hand, follow a more comprehensive and targeted process. It begins with a preparation phase in which the objectives of the test are defined, and the specific systems and applications to be tested are identified. This is followed by an information-gathering phase, where the tester collects as much data as possible about the environment, such as the network, operating systems, and existing security controls.
© 2025 Leave a Mark Consulting Group ApS
CVR: 39411458
