Test yourself – before the attackers do
Article 4 of 5 in the series “When Security Fails – and Trust Breaks”
Many security programmes look good on paper.
Firewalls are in place. Policies are written. Training has been completed. But the decisive question is rarely asked: Would you detect an attack – while it was happening?
A penetration test gives you the answer – on your terms, with your team in control. It is not a sign of weakness. It is a sign of maturity.
AI tools are dramatically lowering the threshold for sophisticated attacks. What previously required expertise and months can now be automated in hours.
Across the Nordic region, only 32% of organisations feel confident in their ability to detect and respond to a cyberattack – yet 87% expect the number of attacks to increase. Many organisations believe they are well protected, without having tested it.
NIS2 sets explicit requirements for risk assessment and testing for all organisations in critical infrastructure. For leadership, this means: regular security testing is no longer a technical choice – it is a governance responsibility.
Start with what matters most: what are you actually protecting?
Before testing, you need to know what you are testing for. This is a question that surprisingly many organisations skip – and it is one of the main reasons tests produce little actionable insight.
The CIA triad provides a sound framework for this prioritisation:
- Confidentiality (C): What is the organisation’s most sensitive information – and who should under no circumstances have access to it?
- Integrity (I): Which systems and data are critical to protect against manipulation and unauthorised change?
- Availability (A): Which services and systems cannot go down under any circumstances – and for how long?
The answers to these questions determine what should be prioritised in a test – and which type of test delivers the most value for your organisation.
Penetration test or red team – what is the difference?
The terms are often used interchangeably, but they are fundamentally different in objective, method and outcome. Here is a precise comparison:
| Penetration test | Red team | |
|---|---|---|
| Objective | Identify technical vulnerabilities | Test detection and response capability |
| Method | Systematic technical testing of a defined scope | Realistic attack simulation without alerting the defence team |
| Duration | Days to a few weeks | Weeks to months |
| Outcome | Prioritised vulnerability list with remediation recommendations | Comprehensive evaluation: detection, response and resilience |
| CIA focus | Primarily confidentiality and integrity | All three – including availability under simulated attack |
| Best for | Regular testing of systems, APIs and new infrastructure | Mature security programmes wanting to test overall capability |
A useful rule of thumb: start with penetration testing. Once basic controls are in place and processes are mature, red team exercises provide the deepest insight into overall security capability.
| Maturity level | Recommended approach | Typical outcome |
|---|---|---|
| Beginner: little systematic security work | Vulnerability scanning + basic pentest | Overview of critical gaps |
| Mature: established routines and tooling | Full penetration test per domain | Validation of existing controls |
| Advanced: SOC and dedicated security function | Red team exercise | Test of detection, response and coordination |
What does a penetration test uncover in practice?
A thorough penetration test is not a checklist exercise. It is a targeted investigation of the organisation’s actual attack surface – seen from an attacker’s perspective.
In this series we have already described two critical attack vectors: AI systems with overly broad access permissions (article 2) and flat networks without segmentation (article 3). Both are recurring findings in NetNordic’s penetration tests. Here is what we typically uncover:
| Test area | What we look for |
|---|---|
| Network infrastructure | Segmentation weaknesses, exposed services, lateral movement paths |
| APIs and web applications | Authentication weaknesses, injection attacks, access control failures |
| AI systems | Prompt injection, exposed endpoints, overly broad data access |
| Cloud environments | Misconfigurations, excessive permissions, exposed resources |
| OT/ICS systems | Legacy equipment without security updates, IT/OT boundary crossings |
| Human factors | Phishing resilience, social engineering, access management |
What recurs across every test we conduct: the most critical findings rarely concern a single vulnerability in one system. They concern combinations – weak authentication here, missing segmentation there, an AI system with too-broad access. Combined, they give an attacker a complete path in.
A penetration test does not just show what is vulnerable. It shows which path an attacker would actually take – and what it would take to stop them.
Stian Lysnes, Lead Security Consultant, NetNordic
What happens after a test – and what does NetNordic deliver?
A penetration test is not complete when the report is delivered. Value is created in what happens next: prioritisation, remediation and follow-up.
NetNordic’s Offensive Security team delivers findings across three action categories – the same framework running throughout this article series:
- Organisational measures: Missing routines, unclear accountability, training that has not been carried out
- Physical measures: Access control, segmentation of network infrastructure, physical security of equipment
- Technical measures: Specific vulnerabilities with CVE references, misconfigurations, missing patches
All findings are prioritised based on actual risk to your organisation – not a generic CVSS score. A critical finding in a low-risk system is prioritised lower than a moderate finding in a system handling customer data or production environments.
→ Technical report with all findings, proof-of-concept and remediation recommendations
→ Executive summary tailored to leadership and the board – without technical jargon
→ Prioritised action list divided into organisational, physical and technical categories
→ Retest after remediation – to confirm that vulnerabilities have been closed
NetNordic SOC and Offensive Security – two sides of the same coin
Penetration testing and continuous monitoring are not alternative approaches. They are complementary.
NetNordic’s distinctive position is that we combine one of the Nordic region’s strongest offensive security environments with our 24/7 SOC. Findings from penetration tests directly inform detection rules in the SOC – and SOC incidents point back to structural weaknesses that should be tested.
|
2.3 min Average time to detect an incident in NetNordic SOC |
41% Of detections are incidents other security solutions do not catch |
More than 40% of the incidents NetNordic SOC detects are events that other security solutions do not catch. That is not coincidental. It is the result of detection rules built by a team that has itself conducted the attacks – and knows exactly what to look for.
A pentest is not a sign of weakness – it is a sign of maturity
Organisations that test regularly stand out markedly from those that do not. Not because they are more vulnerable by nature – but because they know where they are vulnerable, and can act on it.
In a threat landscape where AI tools are automating attacks and attack speed is increasing, it is no longer sufficient to assume that security holds. You have to test it.
This is what continuous testing is about – element 3 in the foundation of digital trust.
The final article in the series takes the highest-level perspective: security as a leadership responsibility. Because all the elements of the foundation require leadership that takes ownership – and a board that asks the right questions.
Get in touch for a no-obligation conversation about penetration testing or red team.
→ netnordic.com/contactThe full series: “When Security Fails – and Trust Breaks”
1. When a cyber attack becomes a reputational crisis
2. AI – The new attack surface
3. Segmentation – the network that stops the attack
4. Test yourself – before the attackers do
5. Security is a leadership responsibility
Sources and references
- NetNordic: Boss of the SOC 2025 – 3rd place globally, best in the Nordics
- NetNordic SOC statistics: 2.3 min detection, 12 min resolution, 41% unique detections
- Tietoevry: Nordic Cyber Resilience Report 2024
- NIS2 Directive (EU) 2022/2555 – risk assessment and security testing requirements
- SOCRadar: Nordic Threat Landscape Report 2024
Table of Contents
- Start with what matters most: what are you actually protecting?
- Penetration test or red team – what is the difference?
- What does a penetration test uncover in practice?
- What happens after a test – and what does NetNordic deliver?
- NetNordic SOC and Offensive Security – two sides of the same coin
- A pentest is not a sign of weakness – it is a sign of maturity
Content subjects category
Content type
Related content
Contact Us
Feel free to call us directly on our telephone number +47 67 247 365, send us an email salg@netnordic.no, or fill in the form and we will get back to you as soon as possible! Thanks!
