Name: CleanIssue
Price range: €€

Question 1

Does GDPR require a pentest?

Accepted Answer

No. GDPR requires appropriate security measures (Art. 32) but does not prescribe a specific method. A documented external review counts as acceptable due-diligence evidence. Pentests are only required by certain sector-specific frameworks (DORA, PCI-DSS).

Question 2

What is the difference between a pentest and a penetration test?

Accepted Answer

None. Two terms for the same thing. Pentest is the short English form. Penetration test is the full version. In France, the equivalent is test d'intrusion.

Question 3

What exactly is a red team?

Accepted Answer

A red team is an advanced variant of a pentest. It targets the whole organization (not just one application) by combining technical attacks, social engineering, and sometimes physical intrusion. It is reserved for mature organizations with an established security team.

Question 4

Can you do an external review first and a pentest later?

Accepted Answer

Yes, and it is the most logical sequence. The external review surfaces exposure flaws at low cost. Once those are fixed, the pentest tests resistance in depth. You avoid paying pentest rates to uncover obvious flaws.

Question 5

My cyber insurance requires a penetration test. Is an external review enough?

Accepted Answer

It depends on the policy wording. Some insurers accept a documented security audit; others explicitly require a penetration test. Check the exact language of your policy. If the term penetration test is mandated, an external review will not formally satisfy that requirement.

Criterion	External review	Penetration test (pentest)
Method	Observation and analysis from the outside, no access needed	Simulated attack with formal authorization
Common synonyms	Security audit, application audit, security review	Pentest, penetration testing, intrusion testing
Authorization required	None (read-only, public surface)	Required (contract, scope, rules of engagement)
Typical duration	1 to 5 days	2 to 6 weeks
SMB cost	EUR 1,900 to 4,200	EUR 5,000 to 25,000
What is tested	Exposure surface, APIs, auth, accessible data, configuration	Resistance to active attacks, exploitation, escalation
Production impact	Zero	Risk of controlled disruption
Report	Reproducible evidence, GDPR context, remediation	Attack paths, documented exploitation
Regulatory value	GDPR due-diligence evidence (Art. 32)	Required by DORA, PCI-DSS (advanced levels), some insurers
Red team (advanced variant)	Not applicable	Extended version: multi-vector attack (phishing + technical + physical), targets the whole organization

Audit, pentest, penetration test, red team:
what does each one actually mean?

The 4 approaches compared

Start with an external review if...

Move to a pentest if...

FAQ

Need an external review of your HR SaaS?

Audit, pentest, penetration test, red team:what does each one actually mean?

The 4 approaches compared

Start with an external review if...

Move to a pentest if...

FAQ

Need an external review of your HR SaaS?

Audit, pentest, penetration test, red team:
what does each one actually mean?