What is a satisfactory result of penetration testing assessment?

As someone who contracts pen-testers more than I act as a pen-tester, what I'm looking for is that you did more than run Nessus/ZAP/Burp - I can do that myself (though I expect that you do that as well). I expect you watch the dataflows in the app/website and look for those loose threads that indicate there is a logic error that might be exploitable. I expect that you are able to tell me what you can glean from the outside, that you can tell me things that cause concern that couldn't be found with a scan.

I'm looking for indications that you looked at, for instance, password reset screens and considered whether the flow is exploitable. I want to see that you've considered whether privileged information is available to unprivileged users (ie, is the app just using css to hide it or something daft like that).

Ideally, I've done the easy stuff before I contract you - I've done the scan, I've done the patches and I've picked all the low-hanging fruit. I hire a pen-tester for the hard stuff.

Really, if you don't manage an exploit, I want to see that you've worn your fingernails down scratching at the outside looking for a crack.


Is successful exploitation a requirement for pen-testing job?

Following a strict definition of penetration testing, you have to actually attack the target system and keep a record of your successful and failed attempts. It's not sufficient to simply conclude that a server should be vulnerable because your fingerprinting tools revealed an outdated software version. You are explicitly taking the perspective of an attacker and have to demonstrate how the system can be penetrated.

The SANS Penetration Testing paper makes the following distinction (although definitions vary):

Pen-Testing vs. Vulnerability Assessment

[There] is often some confusion between penetration testing and vulnerability assessment. The two terms are related but penetration testing has more of an emphasis on gaining as much access as possible while vulnerability testing places the emphasis on identifying areas that are vulnerable to a computer attack. [...] A vulnerability assessor will stop just before compromising a system, whereas a penetration tester will go as far as they can within the scope of the contract.

That said, your average customer is probably unaware of this distinction and maybe doesn't really want you to spend too much time going "as far as you can". It might be more important to them to receive clear instructions on what exactly needs to be fixed rather than getting a list of all your root shells. You will have to find out beforehand what they effectively want to achieve by letting you test the system. Your customer should be aware that a penetration test is not equal to a comprehensive security assessment.