Sales and Penetration Tests

1. Introduction

A penetration test is a proactive cybersecurity exercise where ethical hackers simulate real-world attacks to uncover vulnerabilities before malicious actors can exploit them. That definition is true, but it misses a commercial reality: penetration tests are often used as sales collateral.

In an era of ransomware, data breaches, and supply-chain attacks, regular penetration tests remain essential for improving defences, supporting compliance, and reducing financial and reputational damage. The problem starts when the sales process changes the incentives around the test.

2. Potential conflicts

2.1 Clean reports

A clean report is a penetration test report that shows no issue greater than medium or low severity, making it easier to pass directly to a prospect without raising a red flag. The original goal of a penetration test is genuine security improvement. In a sales context, the pressure to achieve a clean report can narrow the scope away from higher-risk areas such as admin portals or internal services.

That turns penetration testing into a checkbox exercise: a marketing tool rather than a security investment. Testers are ethically bound to report their findings, but commercial pressure can still create tension when clients request exclusions or re-scoping.

2.2 Sensitive information exposure

Reports often contain exploitation paths, vulnerabilities, configuration weaknesses, and enough system detail to help an attacker if the report is mishandled. Low-level findings may be relatively safe to share. High or critical findings create a much greater risk, but withholding the report can create friction with the prospective customer.

That is the core conflict: security integrity pushes towards careful handling and remediation, while business expediency pushes towards quick disclosure and reassurance.

2.3 Ethical and legal tensions

Penetration testing ethics emphasise independence, accuracy, and avoiding harm. When tests are co-opted for sales purposes, testers may feel pressure to produce a favourable outcome, weakening objectivity.

Sharing reports during formal due diligence under an NDA is common and often necessary. Distributing detailed reports earlier in the sales cycle is riskier: prospects may question whether negative findings are being hidden, and companies may face liability if a leaked report later contributes to an attack.

2.4 Shift from security to marketing

The core requirement of penetration testing is improving resilience and meeting compliance standards. As a sales enabler, it can be reframed as marketing collateral. That can lead to shallow practices, such as presenting automated scan results as if they were comprehensive penetration tests.

3. Can conflicts be mitigated?

Yes, but only if integrity is prioritised over sales pressure. Companies should avoid forcing clean reports. Narrowing scope to minimise findings defeats the purpose of a penetration test.

Good testing is resource-intensive. Deep tests take time, and re-tests may be limited. Even after remediation, a report still discloses that an issue once existed, which may not align neatly with sales needs. Critical issues can also appear in mature systems if a different tester or methodology finds something previously missed.

• Use one-off, limited-scope tests for new or updated features.
• Use those tests as interim quality checks between annual full-scope tests.
• Keep annual full-scope penetration tests for a comprehensive view of security posture.
• Prepare customer-safe summaries that explain scope, date, severity, and status.
• Track findings to closure with owners and dates.

4. Summary

Penetration testing is not inherently in conflict with sales, but using reports as sales tools introduces ethical, security, and legal tensions. The shift from remediation to optics can weaken the value of testing, expose sensitive information, and create mistrust.

Do not alter scope simply to achieve a clean report. Recognise that some level of risk is unavoidable in full-scope tests. Use targeted interim tests on new or updated code to reduce the likelihood of major findings during annual tests. Penetration tests should remain a tool for risk reduction, not just a sales checkbox.