Sales and Penetration Tests

1. Introduction

If you ask anyone about a penetration test, they’ll likely respond with something along the lines of:

They may add:

All of this remains true today.

However, penetration tests are being increasingly used as part of the sales process. Their inclusion in sales introduces business pressures that may undermine the original objective of the penetration test by incentivising superficial tests or risking sensitive disclosures. In this post I will discuss these conflicts and propose ways to mitigate this conflict.

2. Potential Conflicts

2.1. “Clean Reports”

A ‘Clean Report’ is a penetration test report that shows no issue greater than a medium or low severity, essentially a report that can be passed directly to a prospect without raising a red flag.

The original goal of a penetration test was to drive genuine security improvements. In a sales context, the drive to have a ‘Clean Report’ might result in narrowing the scope of penetration test to exclude high-risk areas (such as admin portals that will not be accessible to customers). The aim shifts from risk reduction to producing a favourable report.

This turns penetration testing into a checkbox exercise, a marketing tool rather than a security investment. Testers are ethically bound to report all findings, but commercial pressures can create tension, especially when clients request exclusions or re-scoping. Industry discussions repeatedly highlight this "box-ticking" problem, where compliance or sales-driven testing prioritises optics over substance.

2.2. Risk of Sensitive Information Exposure

Reports often contain detailed exploitation paths, vulnerabilities, and system weaknesses. Sharing them in sales (e.g., with prospects or in due diligence) could provide a "cheat sheet" for attackers if mishandled, conflicting with penetration testing's protective intent. For instance, exposing un-remediated issues could lead to breaches, reversing the test's purpose of risk reduction.

In general, if there are only low level issues in a report then sharing the report will be low risk. Conversely, if there are high and critical issues then the risk of sharing the report is significant. The conflict then arrises because not sharing the report could block the sale to a prospective client.

Penetration test reports typically contain detailed exploitation paths, vulnerabilities, and configuration weaknesses. Sharing these reports in a sales process (for example, with prospects during due diligence) introduces the risk that sensitive information could be leaked, potentially providing attackers with a “cheat sheet.”

• If a report contains only low-level issues, sharing it may pose minimal risk.
  

• If a report contains high or critical issues, the risk becomes substantial. Withholding a report may create friction in the sales cycle.
  

The interplay causes conflict between security integrity and business expediency.

2.3. Ethical and Legal Tensions

The ethics of penetration testing emphasise independence, accuracy, and the duty to avoid harm. When tests are co-opted for sales purposes, testers may feel pressured to deliver a "favourable" outcome, undermining the objectivity of their work.

While sharing reports during formal due diligence (under NDAs) is common and often necessary, distributing them earlier in the sales cycle is riskier. Without mutual trust, this practice can backfire and prospects may question whether negative findings are being hidden, or companies could face liability if leaked reports later contribute to an attack.

2.4. Shift from Security to Marketing Focus

The core requirement of penetration testing has always been improving resilience and meeting compliance standards. When used as a sales enabler, however, penetration tests risk being reframed as marketing collateral.

This can lead to shallow or misleading practices; for example, presenting results from automated scans as if they were comprehensive penetration tests. Such dilution reduces the value of penetration testing and erodes trust in its findings.

3. Can Conflicts be Mitigated?

The short answer: yes, but only if integrity is prioritised over sales pressure.

• Companies should avoid forcing “Clean Reports”. Narrowing scope to minimise findings defeats the purpose of a penetration test.
  

• Recognise that good penetration testing is resource-intensive. Deep tests take time, and re-tests are often limited (some firms cap re-tests at 10 issues, even if more were originally found). This can result in “fixed” issues still appearing as unresolved in reports.
  

• Even after remediation, reports disclose that issues once existed—something that may not align neatly with sales needs.
  

Importantly, critical issues may always appear, even in mature systems. A different tester or methodology might uncover something missed previously. This risk cannot be fully eliminated.

A pragmatic approach is to:

1. Perform one-off, limited-scope penetration tests focused on new or updated features where the risk of issues is highest.
   

2. Use these tests as interim quality checks between annual full-scope penetration tests, which remain essential for a comprehensive view of security posture.
   

This layered approach balances the needs of both security and business stakeholders—testing high-risk areas more frequently without diluting the value of full penetration testing.

4. Summary

While penetration testing itself is not inherently in conflict with sales, using reports as sales tools often introduces ethical, security, and legal tensions. The shift from security remediation to business optics can weaken the value of testing, expose sensitive information, and create mistrust.

Key takeaways:

• Do not alter scope simply to achieve a “Clean Report.”
  

• Recognise that some level of risk is unavoidable in full-scope penetration tests.
  

• Use targeted interim tests on new or updated code to reduce the likelihood of major findings during full annual tests.
  

Ultimately, penetration tests should remain what they were designed to be: a tool for risk reduction, not just a sales checkbox. Prioritising integrity over optics safeguards both the organisation’s security posture and its reputation.