COMMENTARY: Think you need a pen test? Fred Langston says you might be wrong.
In the cybersecurity world, penetration testing—or pen testing—has become the gold standard for evaluating an organization’s defenses. But according to Fred Langston, a pen testing veteran with over 20 years of experience, most businesses asking for a pen test don’t actually need one.
“Pen testing should be a late validation stage activity,” Langston said during a recent webcast hosted by MSSP Alert. “If you’re doing it at the beginning of your security journey, you’re wasting your money.”
Langston is a pen testing expert at Critical Insight, a managed security services provider. He has decades of experience spanning back to his role as one of the authors of the HIPAA security rule.
His statement feels almost heretical in an industry where pen testing is often sold as an essential first step. But Langston’s argument is hard to ignore: The value of pen testing lies in testing the strength of existing defenses—not in identifying basic vulnerabilities.
Why Pen Tests Are Often Premature
Langston described a scenario he sees all too often: A company, eager to appear secure, asks for a pen test without understanding what it actually entails. “When someone says, ‘I need a pen test,’ my first question is always, ‘Why do you think you need a pen test?’” he said.
For many organizations, pen tests are driven by compliance pressures or peer influence rather than true readiness. “They’ll say, ‘Well, my peers are doing it,’ or ‘My insurance company asked for it.’ But what they really need is a vulnerability assessment or a baseline risk assessment,” Langston explained.
This misunderstanding can lead to wasted resources. “If you haven’t done the groundwork—vulnerability assessments, remediation, basic cyber hygiene—a pen test won’t tell you anything you don’t already know,” he said.
The Irony of Pen Test Popularity
Langston pointed to an ironic driver behind the pen testing craze: its portrayal in media. “It’s the one thing people associate with cybersecurity. You see it on TV—hackers in hoodies breaking into systems. That’s what people think security is,” he said.
But Langston warns that real-world pen testing is far more nuanced—and far less glamorous. “It’s not just about breaking in. It’s about understanding the risks, goals, and vulnerabilities in a way that’s actionable for the organization,” he said.
A Pen Testing Team? Think Again.
For MSSPs and MSPs looking to add pen testing to their offerings, Langston delivered a stark reality check: Building a pen testing team isn’t as simple as hiring a few certified testers.
“Pen testing isn’t one skill—it’s five or six completely different disciplines,” Langston explained. “Network testing, web app testing, Wi-Fi testing, social engineering, and physical security all require different skill sets.”
The costs of building such a team can be overwhelming, particularly for smaller providers. “You’re talking about hiring expensive, highly specialized staff, and then hiring backups for when they’re on vacation,” Langston said. “And you can’t just hire newly certified testers. Experience is the greatest teacher in this field.”
For those just starting out, Langston recommended a more gradual approach. “Start with network-based penetration testing and add other components—like web app testing—over time. And consider outsourcing or partnering before committing to a full team,” he advised.
Liability: The Elephant in the Room
Langston also highlighted a critical and often overlooked aspect of pen testing: liability. “This is where most people starting out fail to protect themselves,” he said.
Penetration testing comes with significant risks. “You’re effectively attacking a client’s environment, and the potential for disruption is real,” Langston explained. Without proper insurance, contracts, and training, MSSPs could find themselves on the hook for millions in damages.
“Your contracts need specific language for pen testing, including clauses that limit liability and protect against inadvertent errors,” Langston said. He also stressed the importance of clear rules of engagement. “You need to outline exactly what you’re authorized to do, when you’re doing it, and who you’re notifying if something goes wrong.”
The risks extend beyond digital systems. “If you’re testing in environments with sensitive data, like medical records, even an accidental exposure can trigger reportable incidents,” he warned.
The Future of Pen Testing: It’s a Program, Not a Project
Langston argued that organizations need to rethink how they approach pen testing. “Pen testing isn’t a one-and-done service. It should be part of a larger security program,” he said.
This includes regular follow-ups to validate remediation efforts. “We give clients 90 days to fix what we found, and then we go back to test whether it’s really resolved,” he explained. This validation process not only ensures ongoing security but also demonstrates accountability to regulators and stakeholders.
For organizations with highly dynamic environments—like those deploying new applications—Langston recommended on-demand pen testing to assess risks as they emerge. “Every major change is a new game. You need to test it before it goes live,” he said.
“Everyone’s a Target”
When asked whether small businesses need pen testing, Langston’s response was unequivocal. “Yes,” he said. “The bad guys don’t care how big or small you are. If you have money, they want it. There’s no hiding from that.”
Small businesses, however, often face unique challenges, from limited budgets to regulatory pressures. Langston pointed to the Gramm-Leach-Bliley Act and FTC safeguarding rules as key drivers for small businesses to adopt pen testing. “If you’re handling financial records, you’re on the hook for these requirements, whether you realize it or not,” he said.
Final Thoughts: Know Your Client, Know Your Limits
For Langston, success in pen testing comes down to two things: understanding your client and knowing your own capabilities.
“Know your ideal customer profile and build your services around it,” he advised. “If your clients are small businesses, focus on what they need and what they can afford. Don’t try to be everything to everyone.”
He also encouraged MSSPs to seek out collaboration. “The cybersecurity ecosystem is incredibly collaborative. There’s no shame in partnering or outsourcing as you grow,” he said.
Langston’s message is clear: Pen testing is an essential tool—but only when used at the right time, for the right reasons. And for MSSPs and MSPs, building a sustainable practice means thinking strategically, acting carefully, and always keeping the client’s best interests in mind.
MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].