Penetration Testing for Irish SMEs

Irish SMEs increasingly need penetration testing — for NIS2, client contracts, and insurance. Here's what it involves, what it costs, and what to do with the results.

Penetration Testing for Irish SMEs: What It Is, When You Need It, and What It Costs

Penetration testing is one of the most misunderstood services in cybersecurity. Irish SMEs are increasingly being asked for it — by clients, by insurers, by NIS2 auditors — without always being clear on what they're actually buying, what it will find, or what to do with the results.


What Penetration Testing Actually Is

A penetration test — pen test — is an authorised, simulated attack on your systems conducted by security professionals. The word "authorised" matters. A penetration tester is doing, with your permission and under a signed scope agreement, something that a real attacker would do without either. The goal is to find exploitable vulnerabilities before an attacker does.

This is different from a vulnerability scan, which is an automated tool that checks for known weaknesses. A pen test involves human intelligence: a tester looks at your systems, identifies attack paths, chains vulnerabilities together, and attempts to achieve objectives. A vulnerability scan tells you what might be wrong. A pen test tells you what a real attacker could actually do with it.


The Three Types Irish SMEs Most Commonly Need

External Network Penetration Test

Tests what an attacker on the internet can do to your business — working from outside your network, no credentials, no inside knowledge. Attempts to find and exploit vulnerabilities in your internet-facing systems: firewall, VPN, remote access tools, mail servers, websites. The most common type for Irish SMEs and a reasonable starting point.

Web Application Penetration Test

If your business has a customer-facing web application — an e-commerce platform, a client portal, an online booking system, a SaaS product — you need a web application pen test separately from an external network test. Web application testing follows OWASP Top 10 methodology and looks for injection flaws, broken authentication, insecure data exposure, and access control weaknesses.

If your application handles customer data or payments, this is not optional.

Social Engineering and Phishing Simulation

Tests your staff's ability to recognise and report malicious emails. A tester sends realistic phishing emails to your employees and measures who clicks, who enters credentials, and who reports it. Increasingly requested as part of cyber insurance renewals and a useful complement to technical testing.


When an Irish SME Actually Needs a Pen Test

NIS2 requirements. If your business is in scope for NIS2 as an Important or Essential Entity, penetration testing is strongly implied under Article 21's requirement for "appropriate and proportionate technical and operational measures." For many Important Entities, an annual pen test will become an audit expectation.

Before a new system goes live. If you are launching a new web application or externally accessible system, test it before users interact with it. Fixing a vulnerability before launch costs a fraction of what it costs after a breach.

Post-incident. After a security incident, a pen test helps confirm that the vulnerability exploited has been remediated and no similar weaknesses remain.

Client contractual requirement. Enterprise clients in financial services, healthcare, and the public sector are increasingly requiring annual pen test evidence from suppliers under NIS2 and DORA.

Insurance renewal. Cyber insurers are tightening underwriting criteria. Several Irish-market insurers now ask whether you have conducted a penetration test within the last 12 months. Those that have access better terms.


What to Expect From the Process

Scoping call. A good pen test provider will spend time understanding your environment before quoting. They need to know what systems are in scope, how many IP addresses or URLs are involved, and what your objectives are. Be wary of providers who quote without asking these questions.

Rules of engagement. Before testing begins, you will sign a scope document clearly defining what the tester is authorised to do and what is excluded. Read it carefully.

Test window. A typical external network test runs over two to five days. A web application test, depending on size, may run three to seven days. You should be able to continue operating normally.

Report. The deliverable is a written report with an executive summary readable by a non-technical director, detailed technical findings, risk ratings (Critical/High/Medium/Low), and specific remediation guidance. Ask to see a sample report before engaging a provider — report quality varies significantly.

Remediation meeting. A professional provider will walk you through the findings and answer questions from your team. This is where the test delivers value — not the document itself, but ensuring your team understands what was found and why.


Realistic Costs in the Irish Market

  • External network pen test (small SME): €3,000–€6,000
  • Web application pen test (standard business application): €4,000–€8,000
  • Combined external network + web app: €6,000–€12,000
  • Full-scope (network + web app + phishing + internal): €10,000–€20,000+

Actual cost depends heavily on scope. A micro-business with a simple web presence and five external IPs will be at the low end. A manufacturing firm with multiple sites, a customer portal, and 80 staff will be higher.

Be cautious of sub-€2,000 external tests from unverified providers. At that price point, you are often getting a rebranded automated scan with a consultant's signature on it.


Red Flags When Selecting a Provider

  • No scoping call before quoting
  • Cannot provide a sample report or reference engagements
  • Testers have no verifiable certifications (OSCP, CEH, CREST, or equivalent)
  • Report is primarily automated tool output with no manual analysis
  • No remediation meeting or support included

CREST-accredited testing firms provide an independent quality benchmark. CREST membership is a reasonable filter for larger or more sensitive engagements.


What to Do with the Report

Triage findings by severity. Critical and High findings should be addressed within days to weeks. Mediums within 30–60 days. Lows on a planned basis.

Track remediation in a simple register and retest critical findings once fixed — many providers include a retest of Critical and High findings in the original scope.

Share the executive summary with your board or senior leadership. A pen test report is a risk document, and management needs to understand what was found. If a client or insurer requested the test, they will typically want the executive summary only — agree this in advance.


James McGee, CISA, CISSP, CISM, is the founder of Pragmatic Security. He advises Irish SMEs on security testing and NIS2 compliance requirements.