You finally did the right thing, you hired a penetration testing firm to find security holes before the criminals do.
You expected a few minor issues, maybe an outdated plugin here, a weak password there.
Then the report arrived, 47 pages of findings, critical vulnerabilities, high-risk exposures, and a summary that said "failed to meet minimum security requirements".
Your heart sinks, your compliance deadline is approaching, your leadership is asking questions, and you have no idea how this happened.
Here is the truth, most businesses fail their first penetration test, not because they are careless, but because they do not know what to expect.
Let me show you the most common reasons for failure and how to pass next time.
The Hard Reality
Before we dive into the reasons, let me share what we see in the field
|
Statistic |
Percentage |
|
Businesses that fail first penetration test |
75-85% |
|
Average number of critical findings |
5-15 |
|
Average time to remediate |
6-8 weeks |
|
Businesses that repeat the same mistakes |
40% |
These numbers are not because businesses are lazy, they are because penetration testing reveals blind spots that most organizations do not know they have
The good news, once you know the common failure patterns, you can fix them before the test even starts
Reason 1: Missing Critical Security Patches
This is the number one reason businesses fail, by a wide margin
What we find:
1. Servers missing patches released 6-12 months ago
2. Known vulnerabilities with public exploits (CVSS 9.0+)
3. Outdated WordPress Plugin with Remote Code Execution Vulnerabilities
4. Outdated Software Already in Production
Reasons for this:
Many organizations have good patch process outlined in documentation, however they experience delays starting patches due to the fact that it might require a reboot, may impact custom built applications, or there is no available maintenance window.
Attackers understand that most organizations have delayed how fast they apply patches therefore they continuously scan for vulnerabilities not being patched.
Fixing these issues:
1. Implement automated patching solutions
2. Create risk priority list to address critical patches
3. Utilize vulnerability scanning to complete an inventory of missing patches
4. Create monthly maintenance windows
5. Use WAF or Virtual Patching techniques on legacy systems
Reason 2: Default/Weak Credentials
All penetration tests result in finding weak passwords.
What do we find:
1. Admin credentials of admin/password or admin/admin
2. Network devices using default username/password (routers, switches and firewalls).
3. Service accounts that have passwords which never expire
4. Shared credentials between multiple users
5. Passwords posted in breach databases (password reuse)
Reason for Issue:
Default credentials enable quick setup and are likely to be overlooked, service accounts can be set up once and then left alone indefinitely, shared credentials may be much more convenient for everyone on a team to use, but they’re un-auditable.
How to Solve Issue:
1. Change any default credentials before moving to production.
2. Employees should have a password manager application installed on their laptop/workstation.
3. You should set password complexity/rotation policies.
4. Review service accounts on a quarterly basis.
5. Use Multi-Factor Authentication (MFA) everywhere possible
A penetration test will find these within minutes, Red Secure Tech's testing methodology includes automated credential stuffing against all login portals
Reason 3: Open and Unnecessary Ports
Your firewall is configured to allow specific traffic, but over time, rules accumulate and no one remembers why
What we find:
1. Remote Desktop Protocol (RDP) open to the entire internet
2. All IP addresses can SSH into your network
3. Database ports have been configured as open through the Internet (3306, 1433, 5432).
4. Legacy VPN Concentrators still running and still allowing connections.
5. Unencrypted (TLS) accessibility to FTP Servers is possible.
Why this happens:
1. A developer has requested access to your network for development purposes.
2. A vendor has requested that you open up a port to access their appliance.
3. An exception (temporary rule) was created but never removed.
4. The regular reviews of firewall rules are not performed.
How to fix:
1. Firewall rules should be reviewed every three months.
2. Remote administrative access should be limited to VPNs only.
3. Utilize jump hosts as opposed to exposing RDP/SSH directly to the internet
4. Close any ports that do not have a documented business need
5. Implement geo-blocking for those countries that you do not do business with.
Reason 4: No Web Application Firewall (WAF)
If you do not have a WAF filtering out malicious traffic before it reaches your application, your applications are subject to a significant number of automated attacks.
Some of the common vulnerabilities we have had to work with due to not having a WAF:
1. SQL injection attacks that would have been blocked by a WAF;
2. Cross Site Scripting (XSS) attacks getting through to the web application;
3. Successful directory traversal attacks; and
4. Numerous brute force attacks occurring with no rate limits.
Why does this occur?
Costs associated with WAFs, complexity/configuration we do not have staff resources or security experts capable of leveraging a WAF; and some companies that believe their code is safe enough without a WAF.
No code is 100% safe no matter how good the development team is.
How to fix:
1. You have the option of an on-premise or cloud-based WAF (Web Application Firewall) solution.
2. During the stage one phase, you will want to use Block Mode against the most prevalent attack methods (OWASP Top 10).
3. It is highly recommended that you configure rate limits for your API and for the login attempt endpoints.
4. Consistent monitoring of WAF Logs for possible attacks will be helpful.
5. If your organization does not have sufficient manpower to manage your WAF, you may consider using a Managed WAF Service.
Reason 5: Unsecured Admin Interfaces
Your administrator interface is your most prized possession, and attackers understand this and will seek it out until they discover you.
What we find:
1. The administrator login pages have predictable URL paths (example - /administrator, /admin, /wp-admin)
2. There are no tangible rate limiting features for administrator login attempts;
3. There are no multi-factor authentication features for administrator accounts;
4. Administrator interfaces can be reached from any IP address; and
Default username for administrators are: ‘administrator’, ‘root’ and ‘admin’.
Why this happens:
Convenience is prioritized by administrators rather than security when implementing their features; therefore, they prefer to have access to their account from multiple locations, whilst having two-factor authentication is seen as an inconvenience.
How to fix:
1. Change admin interface paths (non-predictable);
2. Restrict administrator access to certain IP address (such as the office or via VPN)
3. Enforce MFA for every administrator
4. Implement account lockout after failed attempts
5. Use a separate, secure admin domain
Reason 6: Unencrypted Posture / Weak Communication
Data should always be encrypted while in transit but there are still plenty of examples of unencrypted or weakly protected forms of data.
We find that the following items exist:
1. HTTP sites without a redirect to HTTPS,
2. Mixed content where HTTPS pages are requesting resources using HTTP,
3. TLS 1.0 or 1.1 enabled,
4. Unsecured cipher Suites,
5. Lack of HSTS Headers
Why does this occur:
1. HTTPS was set up years ago and forgotten,
2. Old clients require that old versions of TLS be enabled,
3. After an SSL certificate was set up, the clients never check the SSL Labs score.
How do I fix it?
1. Make sure any HTTP traffic you have is forwarding properly to HTTPS (aka SSL)
2. Make sure that TLS v1.0 and v1.1 are no longer allowed
3. Use new ciphers, like AES-GCM and/or ChaCha20 for all transactions
4. Enable HSTS and include a "preload" header as part of your implementation
5. Make sure you run regular tests against your own site using SSL Labs testing tools
Reason 7: Sensitive Data Exposure in Error Messages
Error messages may help troubleshoot problems however; they could also aid in providing attackers with the information needed to target your infrastructure.
What we have found:
1. Some database errors provide enough detail about the layout of tables.
2. Some stack traces include the software's version and file path information.
3. Many times, developers will enable debug mode to test their code then forget to disable debug mode afterwards.
4. Some APIs send the client more information than is actually necessary.
Why this happens:
1. Developers frequently leave debug mode turned on during production.
2. Error handling was an afterthought to the development process.
3. Development and production environments are identical.
How To Fix This Problem:
1. Make certain that debugging mode is disabled in your production systems.
2. Make certain that all exceptions are logged to a custom error page.
3. Make sure that the error messages log the exception to a file, and do not expose that information to the end-user.
4. Review your API responses to ensure no excess information is returned.
5. Implement appropriate exception handling practices.
Reason 8: Testing Backup and Recovery
This vulnerability won't cause an actual attack, but if an attack happens, it will ensure that the attack will be disastrous.
We find that:
1. You have backups, but they have never been tested.
2. You have backups saved on the same server that serves production.
3. You have no backups that are saved offline, and you have no immutable backups.
4. You have not documented your recovery procedures.
5. You do not know how long it will take to restore your backup.
Why does this happen?
Backups are set up once and don't get tested. Testing a backup means that a company needs to schedule downtime, and no one wants to do that. The only assurance that you will have regarding the backup working is that it worked the last time.
How to fix this issue:
1. You should test the restoration of your backup once every quarter.
2. You should maintain offline and immutable backups of your data.
3. You should write down the steps to recover your data in an easily understandable way.
4. You should develop Recovery Time Objective (RTO) and Recovery Point Objective (RPO) metrics.
5. You should develop Incident Response scenarios and practice those responses.
Reason 9: No Monitoring or Logging
If you don't know an event happened; you won't take action to address it.
What we find:
Centralized logging has not been added, there is no review of logs looking for unusual activity, and there are no alerts set up for failed logins, or any attempt to elevate privileges. The time that logs must remain available for review for investigative purposes are far too short. Additionally, logging data should be protected from tampering.
Why This Exists:
One of the primary reasons that logging is under-resourced is that it's considered a "nice to have" not a must-have. Also, SIEM solutions are costly and few users have the will to look at logs to gain insight.
How to Fix:
1. Create a centralized logging capability, using an ELK stack model, Splunk or cloud-based SIEM
2. Create alerts for critical activities, like failed logins and attempt to elevate privileges
3. Define log retention for investigative purposes based on compliance requirements
4. Logging Data Should Not Be Modified/Deleted
5. Log Reviews and/or Automated Analysis of Logs Should Be Performed Weekly
Reason 10: Security Header Missing
Security headers are basic HTTP response headers that control how the browser should function; these are straightforward to implement and are highly effective.
What we find:
1. Content-Security Policy (CSP) was not provided.
2. No HSTS header (incorrect configuration)
3. Missing X-Frame-Options (clickjacking risk)
4. Missing X-Content-Type-Options (MIME sniffing risk)
5. Missing Referrer-Policy
Why it Happen:
Outside of the security circle, security headers are not commonly known; developers simply do not consider them, hence often are left out of their checklist
How to Fix:
The Use of security headers on your web server:
Content-Security-Policy: default-src 'self'
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()
Test your headers using securityheaders.com
How to Pass Your Next Penetration Test
Now that you know the common failure points, here is your action plan:
One Month Before the Test
|
Task |
Time Needed |
|
Run internal vulnerability scan |
2 hours |
|
Review and patch critical vulnerabilities |
1 week |
|
Verify backup integrity |
2 hours |
|
Review firewall rules |
4 hours |
|
Check for default credentials |
2 hours |
|
Enable security headers |
1 hour |
One Week Before the Test
|
Task |
Time Needed |
|
Inform staff about scheduled test |
30 minutes |
|
Disable non-essential accounts |
2 hours |
|
Review change management logs |
1 hour |
|
Test recovery procedures |
4 hours |
|
Verify monitoring is working |
1 hour |
During the Test
|
Do |
Do Not |
|
Make your tester's job easy (provide required accounts) |
Interfere with the test |
|
Monitor for false positives |
Panic about findings |
|
Document everything |
Argue with findings |
|
Ask questions |
Change systems during active test |
After the Test
|
Priority |
Action |
|
1 |
Address critical and high findings immediately |
|
2 |
Create remediation plan for medium findings |
|
3 |
Schedule retest for critical fixes |
|
4 |
Update security policies based on findings |
What If You Already Failed
Failing a penetration test is not the end of the world, it is a starting point
Do not:
1. Ignore the findings
2. Blame the tester
3. Request a "pass" for compliance (this is fraud)
4. Patch only the test findings (attackers will find what the test missed)
Do:
1. Review every finding with your team
2. Prioritize by real business risk
3. Create a remediation timeline
4. Schedule a retest
5. Use the experience to improve your security program
If your website was compromised during or before the test, Red Secure Tech offers emergency incident response with a 4-hour first response time and a no fix, no charge policy
The Compliance Reality
For many businesses, penetration testing is not optional, it is required for compliance
|
Standard |
Requirement |
|
PCI DSS |
Annual penetration test after significant changes |
|
ISO 27001 |
Regular penetration testing based on risk assessment |
|
GDPR |
Testing is part of "appropriate technical measures" |
|
Cyber Essentials Plus |
External vulnerability scan (not full pentest) |
|
SOC 2 |
Annual penetration test for Type 2 |
Failing a compliance-required test means your compliance status is at risk, which can lead to fines, contract loss, or certification revocation
How to Prepare for Your First Penetration Test
If you have never done a penetration test before, here is what you need to know
Step 1: Understand the scope
What systems are included, what is out of bounds, what are the rules of engagement, do not assume anything
Step 2: Clean up the obvious issues
Run vulnerability scans, patch critical issues, change default credentials, close unnecessary ports
Step 3: Prepare your team
Tell IT, security, and leadership about the test, ensure they understand they should not interfere
Step 4: Set expectations
A penetration test will find issues, that is the point, the goal is not a "pass," the goal is a list of things to fix
Step 5: Budget for remediation
Testing is useless if you cannot fix what is found, allocate time and money for fixes before the test
Red Secure Tech provides transparent pricing for penetration testing, no hidden fees, no surprises
The Bottom Line
Most businesses fail their first penetration test, not because they are incompetent, but because they underestimate what a real attacker can do
The good news, all of the common failure points are fixable
Patch your systems, secure your credentials, close unnecessary ports, add a WAF, protect your admin interfaces, encrypt everything, handle errors properly, test your backups, implement logging, and add security headers
None of this requires genius-level security knowledge, it requires discipline and attention to detail
Your first test might fail, your second test will pass
That is not failure, that is progress
FAQ Section
What percentage of businesses fail their first penetration test?
Industry data shows 75-85% of businesses fail their first penetration test, meaning they have at least one critical or high-risk vulnerability that could lead to a breach, the most common failures are missing patches, weak passwords, and exposed administrative interfaces
Is failing a penetration test bad for compliance?
Yes, if the test was required for compliance (PCI DSS, ISO 27001, SOC 2), failing means you cannot demonstrate adequate security controls, you may need to remediate and retest before you can pass the compliance audit
How much does it cost to remediate penetration test findings?
Remediation costs vary widely, some findings (security headers, error handling) cost nothing to fix but require developer time, others (replacing end-of-life software, purchasing a WAF) have direct costs, budget 20-40% of the test cost for remediation on average
Can I prepare for a penetration test without hiring a consultant?
Yes, run internal vulnerability scans, patch critical issues, review firewall rules, change default credentials, and implement basic security headers, however, a professional pre-test assessment is recommended because internal teams often have blind spots about their own environments
How soon after failing should I schedule a retest?
Schedule a retest within 30-60 days of receiving findings, this gives your team time to remediate without losing momentum, most businesses can address critical and high findings within 2-4 weeks, then retest to confirm fixes
