What Does Penetration Testing Involve? A Practical Guide for South African Businesses

If you run a business in South Africa, you have probably been asked whether your systems are secure, by a client, an insurer, an auditor, or your own board. Penetration testing in South Africa has moved from a nice-to-have to a practical requirement, driven by POPIA, contractual obligations, and the simple reality that attackers do not discriminate by company size. But “pen testing” is often misunderstood. This guide explains what it actually involves, the choices you will face, and what a good engagement should deliver, so you can commission it with confidence.

What is VAPT, and how does it differ from a basic scan?

VAPT stands for Vulnerability Assessment and Penetration Testing. The two halves do different jobs, and the best engagements combine them.

• Vulnerability assessment is breadth-first. It systematically identifies known weaknesses across your systems, missing patches, weak configurations, exposed services, and produces a prioritised list of what could be exploited.
• Penetration testing is depth-first. A tester acts like a real attacker, chaining weaknesses together to demonstrate genuine impact, for example, turning an exposed login into access to customer records.

An automated scan alone tells you what might be wrong. A proper VAPT engagement tells you what is genuinely exploitable, how far an attacker could get, and what to fix first. At LDD, this work is carried out using a bespoke, custom-built security testing stack, combining methodical assessment with manual, attacker-style validation rather than a single push-button report.

Black-box, grey-box and white-box testing explained

One of the first decisions you will make is how much information to give the testers. This shapes the cost, depth, and realism of the engagement.

Black-box testing

Testers start with no inside knowledge, just your public footprint, much like an external attacker. It is realistic but slower, because time is spent on reconnaissance rather than depth.

Grey-box testing

Testers are given limited information, such as a standard user account or basic architecture details. This balances realism with efficiency and is the most popular choice for web applications and internal systems.

White-box testing

Testers receive full information, source code, credentials, and architecture. This is the most thorough approach and is well suited to critical systems where you want maximum coverage rather than a simulated outsider’s view.

Why South African businesses commission penetration testing

The motivations are rarely just technical. In our experience, engagements are driven by a mix of compliance, commercial pressure, and risk management.

• POPIA compliance. The Protection of Personal Information Act requires you to secure personal data with appropriate, reasonable technical measures. Testing helps you demonstrate due diligence. Non-compliance can carry penalties of up to R10 million, so the cost of inaction is real.
• Client and contract requirements. Larger clients, especially in finance, healthcare and government supply chains, increasingly require proof of security testing before they will sign or renew.
• Certification readiness. If you are pursuing ISO 27001 (system build and audit typically falling in the R65,000–R120,000 range depending on company size), testing is a natural part of demonstrating your controls work.
• Risk reduction. Finding and fixing weaknesses before an attacker does is simply cheaper than recovering from a breach.

What a good penetration testing engagement delivers

A test is only valuable if it produces something you can act on. A quality engagement should always include the following.

• A clear findings report written for both technical teams and decision-makers, with an executive summary you can hand to your board.
• Severity ratings so you know what is critical versus what is low priority, rather than a flat list that leaves you guessing.
• Remediation guidance, practical, specific steps to fix each issue, not vague advice.
• A retest to confirm your fixes actually closed the gap. A finding is not resolved until it has been verified closed.

You can see how this is structured in LDD’s approach to penetration testing and VAPT, which is built around actionable reporting rather than alarming you with a raw vulnerability dump.

How engagements are scoped and priced

Pen testing is not one-size-fits-all, and neither is its cost. Scope depends on how many systems, applications, and servers are in play, and how deep you want testers to go. Common commercial approaches include:

• Fixed-scope bundles for a defined set of systems, so you know exactly what is covered.
• Per-server testing, useful when you want to expand coverage gradually.
• Quarterly retests, which suit businesses with changing environments or ongoing compliance obligations, keeping your security posture current rather than a once-a-year snapshot.

Because every environment differs, pricing is provided on application. The right approach is to discuss your scope and request a quote (POA) so the engagement matches your actual risk and budget.

Wrapping up

Penetration testing is not a box-ticking exercise, it is a structured way to understand how a real attacker would approach your business and to close those gaps before they are used against you. By understanding VAPT, choosing the right testing depth, and insisting on clear reporting, severity ratings, remediation guidance and a retest, South African businesses can turn security testing from a grudge purchase into a genuine source of confidence, for clients, regulators, and themselves.

Frequently asked questions

What is the difference between a vulnerability assessment and a penetration test?

A vulnerability assessment is breadth-first: it identifies and lists known weaknesses across your systems and prioritises them. A penetration test is depth-first: a tester acts like a real attacker, chaining weaknesses together to prove genuine impact. VAPT combines both so you know not only what might be wrong, but what is actually exploitable and how far an attacker could get.

Do I need penetration testing to comply with POPIA?

POPIA does not mandate penetration testing by name, but it does require you to secure personal information with appropriate, reasonable technical and organisational measures, and to be able to demonstrate that. Testing is one of the clearest ways to show due diligence. Given that non-compliance can carry penalties of up to R10 million, many South African businesses treat regular testing as part of meeting their obligations.

Which type of testing should I choose: black-box, grey-box or white-box?

It depends on your goal. Black-box best simulates an external attacker with no inside knowledge. Grey-box, where testers get limited access such as a user account, balances realism and efficiency and is the most common choice for web apps and internal systems. White-box gives testers full information for maximum coverage and suits critical systems. LDD can help you select the right depth during scoping.

What should a penetration testing report include?

A good report includes an executive summary for decision-makers, detailed technical findings, severity ratings so you can prioritise, practical remediation guidance for each issue, and a retest to confirm your fixes actually closed the gaps. A finding should not be considered resolved until it has been verified as closed.

How often should we run penetration tests?

It varies by environment and risk. Many businesses test at least annually, but those with frequently changing systems or ongoing compliance requirements often opt for quarterly retests to keep their security posture current rather than relying on a once-a-year snapshot. LDD can advise on a cadence that fits your systems and obligations.

How much does penetration testing cost in South Africa?

Cost depends on scope, the number of systems, applications and servers in play, and how deep you want testers to go. LDD offers options such as fixed-scope bundles, per-server testing and quarterly retests. Because every environment differs, pricing is provided on application, so the best step is to discuss your needs and request a quote (POA).