Penetration Testing for MSPs: Best Practices Guide

A client tells you they already have penetration testing covered. A competitor ran one last year, they have the PDF to prove it. You look at the report and immediately recognize it: a NESSA scan, repackaged. No manual testing. No ethical hacking. No one tried to get in. They just listed everything that was visible from the outside and called it done.

This is more common than it should be. The term penetration test has been diluted to the point where it can mean almost anything, and clients, especially the small and mid-market businesses many MSPs serve, often don't know the difference between what they bought and what they needed.

That gap is a problem for your clients' security. It's also a competitive opening for MSPs who can explain it clearly.

Penetration testing for MSPs means offering clients a manual, adversary-simulated security test conducted by credentialed engineers, not a repackaged vulnerability scan. A real pen test tells you what an attacker can do once they are inside the network. A scanner only tells you what might let them in.

Vulnerability Scan vs. Penetration Test: What the Difference Actually Means

Vulnerability scanners and external scanning tools have real value. They identify known vulnerabilities, exposed services, misconfigured systems, and outdated software. They run quickly, they can be automated, and they give you a useful snapshot of your attack surface from the outside looking in.

What they don't do is test what happens when an attacker gets in.

A scanner answers: what doors might be unlocked?

A manual penetration test answers: if someone walks through that door, how far can they go, and what can they reach?

Those are completely different questions, and with AI accelerating attacks, the second one matters more.

Why Internal Pen Testing Matters More Than Perimeter Defense

Manual penetration testing is conducted by human security researchers, such as ethical hackers, who are actively thinking like an adversary. They're not running a script and generating a report. They're probing, pivoting, and trying things that don't show up in any automated tool's ruleset.

The credentials that matter here are practitioner-level certifications like OSCP (Offensive Security Certified Professional), which require demonstrating the ability to compromise real systems in a controlled environment. The work should be conducted by background-checked engineers, and the engagement should be scoped with specificity: what systems, what access level, what objectives.

The output should tell your client not just what vulnerabilities exist, but what an attacker could do with them, and what specific changes would have contained or prevented the breach. That's a roadmap for hardening, not just a list of findings.

One more thing worth saying directly: some providers run automated scans and present the output as a penetration test. This isn't just a value problem, it's a liability problem. If a client relies on that report as evidence of due diligence and then suffers a breach that real testing would have caught, the consequences go well beyond lost data. Class action exposure after cyber incidents is increasing, and organizations that can demonstrate active, independent security testing are in a substantially better legal position than those that can't.

What Manual Penetration Testing for MSPs Actually Involves

Manual penetration testing is conducted by human security researchers, such as ethical hackers, who are actively thinking like an adversary. They're not running a script and generating a report. They're probing, pivoting, and trying things that don't show up in any automated tool's ruleset.

The credentials that matter here are practitioner-level certifications like OSCP, which require demonstrating the ability to compromise real systems in a controlled. The work should be conducted by background-checked engineers, and the engagement should be scoped with specificity: what systems, what access level, what objectives.

The output should tell your client not just what vulnerabilities exist, but what an attacker could do with them, and what specific changes would have contained or prevented the breach. That's a roadmap for hardening, not just a list of findings.

One more thing worth saying directly: some providers run automated scans and present the output as a penetration test. This isn't just a value problem, it's a liability problem. If a client relies on that report as evidence of due diligence and then suffers a breach that real testing would have caught, the consequences go well beyond lost data. Class action exposure after cyber incidents is increasing, and organizations that can demonstrate active, independent security testing are in a substantially better legal position than those that can't.

Types of Penetration Tests MSPs Should Know

Not all pen tests are scoped the same way. Understanding the main types helps MSPs match the right test to each client's risk profile and budget.

External penetration test. The tester works from outside the network, targeting internet-facing assets: websites, VPNs, email infrastructure, firewalls. This is where most low-cost "pen tests" begin and end. It's useful for measuring your exposed attack surface, but it doesn't tell you what happens after someone gets in.

Internal penetration test. The tester starts inside the network perimeter, simulating a threat actor who has already gained access, whether through a compromised credential, a phishing click, or a malicious insider. Internal testing exposes lateral movement paths, privilege escalation vulnerabilities, and the gaps between network segments.

Assumed-breach testing. A specific form of internal testing where the tester begins with a standard user account and attempts to escalate from there. This is the most realistic simulation of how modern attacks actually progress, and it answers the question most relevant to your clients: how much damage can an attacker do once they're through the door?

Social engineering. Tests whether employees can be manipulated into disclosing credentials, clicking malicious links, or granting unauthorized access. Phishing simulations are the most common form. Often paired with technical testing for a complete picture.

Most MSP clients need, at minimum, an external test plus an internal or assumed-breach engagement. The right combination depends on the client's industry, compliance obligations, and the last time they were tested, if ever.

How MSPs Can Use Pen Testing to Win and Retain Clients

Here's the competitive reality: if your clients are going somewhere else for penetration testing, that relationship belongs to someone else. And some of those providers aren't neutral. They'll use a "critical finding" to suggest your client needs a new MSP, regardless of whether that finding reflects your work.

Pen testing is also one of the most effective ways to land net new clients. A prospect who isn't yet your managed services client might not be ready to commit to a full MXDR contract on day one. But they might be ready to buy a penetration test. That engagement starts the relationship, puts you in their environment, demonstrates your competence, and, if the findings create a remediation roadmap, creates a natural path to the ongoing services conversation.

The MSPs growing fastest in the mid-market aren't waiting for clients to bring security budget to them. They're creating the conditions for that budget to get unlocked, and a third-party pen test that reveals real exposure is one of the most reliable ways to do that.

Beyond client acquisition, consider your own environment. An MSP's RMM tools, service accounts, and API connections into client environments represent a significant attack surface. A breach of the MSP is increasingly common, and the downstream exposure to every client in your stack can be severe. Pen testing your own infrastructure isn't just good security hygiene. It's a credibility statement.

How Often Should MSPs Run Pen Tests for Clients

Frequency depends on the client's risk exposure, compliance requirements, and how much their environment changes over time. A general framework:

Annually, at minimum. Most compliance frameworks, including SOC 2, HIPAA, and CMMC, require or strongly recommend annual penetration testing. Annual testing also catches drift: new systems added, configurations changed, access controls that were never cleaned up.

After major changes. A new cloud migration, an acquisition, a significant network expansion, or a new software deployment all introduce unknowns. Testing after major changes is good practice regardless of where the client sits on the annual calendar.

After a security incident. If a client has experienced a breach, phishing compromise, or ransomware event, a post-incident pen test validates that the remediation actually closed the gaps and didn't introduce new ones.

For high-risk or compliance-driven clients. Healthcare organizations subject to HIPAA, government contractors under CMMC, and companies pursuing SOC 2 certification often need more frequent testing, or testing tied to specific audit cycles. These clients represent some of the best pen testing revenue for MSPs precisely because the testing isn't optional.

A good rule of thumb for MSP conversations: if a client's environment changed significantly in the last 12 months, or if they've never had a manual test done, they're overdue.

Pen Testing and Compliance: SOC 2, HIPAA, CMMC, and Cyber Insurance

Penetration testing has moved from "nice to have" to a documented requirement across most of the frameworks MSP clients are subject to.

SOC 2. The Trust Services Criteria require organizations to test the effectiveness of security controls. Penetration testing is one of the primary mechanisms auditors look for as evidence that controls have been challenged, not just documented.

HIPAA. The Security Rule requires covered entities and business associates to conduct regular technical and non-technical evaluations of their security safeguards. A manual pen test satisfies that requirement in a way a vulnerability scan does not.

CMMC. The Cybersecurity Maturity Model Certification, required for Department of Defense contractors, includes penetration testing as part of the assessment process at higher maturity levels. MSPs serving defense contractors need to understand this requirement well.

Cyber insurance. Underwriters have grown significantly more sophisticated. Many carriers now ask specifically whether the applicant has conducted penetration testing in the last 12 months and require documentation. A client with a recent, credentialed pen test report is in a materially stronger position at renewal, and often gets better rates.

For MSPs, the compliance angle is one of the most straightforward ways to have the pen testing conversation. The test isn't a luxury purchase. For many clients, it's required documentation.

Pen Testing and Compliance: SOC 2, HIPAA, CMMC, and Cyber Insurance

Penetration testing has moved from "nice to have" to a documented requirement across most of the frameworks MSP clients are subject to.

SOC 2. The Trust Services Criteria require organizations to test the effectiveness of security controls. Penetration testing is one of the primary mechanisms auditors look for as evidence that controls have been challenged, not just documented.

HIPAA. The Security Rule requires covered entities and business associates to conduct regular technical and non-technical evaluations of their security safeguards. A manual pen test satisfies that requirement in a way a vulnerability scan does not.

CMMC. The Cybersecurity Maturity Model Certification, required for Department of Defense contractors, includes penetration testing as part of the assessment process at higher maturity levels. MSPs serving defense contractors need to understand this requirement well.

Cyber insurance. Underwriters have grown significantly more sophisticated. Many carriers now ask specifically whether the applicant has conducted penetration testing in the last 12 months and require documentation. A client with a recent, credentialed pen test report is in a materially stronger position at renewal, and often gets better rates.

For MSPs, the compliance angle is one of the most straightforward ways to have the pen testing conversation. The test isn't a luxury purchase. For many clients, it's required documentation.

How to Think About Pen Testing Pricing as an MSP

Pen testing pricing varies based on scope, methodology, and the credentialing of the team doing the work. A few general parameters:

External-only tests for a small environment typically run in the $3,000-$8,000 range. Full internal-plus-external engagements for mid-market clients generally fall between $8,000-$25,000+, depending on the size of the environment and the depth of the scope.

For MSPs building pen testing into their service stack, the question isn't just what it costs; it's how it fits into your margin model. Most MSPs approach this one of three ways:

• Pass-through with a markup. Partner with a vetted offensive security firm, resell at a margin, and handle the client relationship and remediation follow-up. Low overhead, predictable revenue.
• Bundled into a higher-tier security package. Annual pen testing becomes part of a premium managed security tier, amortized into monthly recurring revenue. This is the most common model for MSPs who want pen testing to drive retention, not just one-time revenue.
• As a door-opener. Price the initial engagement at or near cost to get into a new client's environment. The test findings justify the ongoing engagement.

What to avoid: selecting a pen testing partner primarily on price. A low-cost scan dressed up as a penetration test creates the exact liability exposure described earlier in this post. The credential of the testers, the specificity of the methodology, and the independence of the provider are what determine whether the report has any real value.

How to Add Penetration Testing to Your MSP Service Stack

Offering penetration testing doesn't require building an offensive security team in-house. It requires a vetted partner with the right credentials, the right methodology, and, critically, no competing interest in the outcome.

Todyl's Assurance Marketplace includes Optimize Cyber, an offensive security firm specializing in manual penetration testing, assumed-breach internal testing, and rapid security assessments. They work exclusively with MSPs, carry no managed services of their own, and are integrated with the Todyl Platform so their findings connect directly to remediation workflows. Todyl partners can access them through the GRC section of the platform.

If you're not yet a Todyl partner and want to see how the Assurance Marketplace works, reach out for a demo.

Frequently Asked Questions

What is the difference between a vulnerability scan and a penetration test?

A vulnerability scan uses automated tools to identify known weaknesses in a system: unpatched software, misconfigured services, exposed ports. It tells you what the attack surface looks like from the outside. A penetration test is conducted by a human tester who actively attempts to exploit those weaknesses, or others not detectable by scanning, to determine what an attacker could actually do. A scan tells you what doors might be unlocked. A pen test tells you what someone could access if they walked through one.

How often should MSPs conduct penetration testing for clients?

Annual testing is the standard baseline, and most compliance frameworks, including SOC 2, HIPAA, and CMMC, require at least that frequency. Beyond the annual cadence, testing is warranted after significant environment changes (cloud migrations, acquisitions, major network expansions), after a security incident, and for clients with active compliance audit cycles. If a client has never had a manual pen test, they should treat that as overdue regardless of when the calendar says.

What certifications should a pen tester have?

The most recognized credential for hands-on penetration testing is the OSCP (Offensive Security Certified Professional), which requires candidates to compromise real systems in a controlled lab environment. It's a practitioner credential, not a multiple-choice exam. Other relevant certifications include CEH (Certified Ethical Hacker), GPEN (GIAC Penetration Tester), and CRTO (Certified Red Team Operator) for more advanced adversary simulation work. When evaluating a pen testing provider, ask specifically about the credentials of the engineers conducting the test, not just the firm.

What is assumed-breach testing?

Assumed-breach testing is a form of internal penetration testing that starts from the premise that an attacker has already gained initial access to the network. Rather than trying to breach the perimeter, the tester begins with a standard user account and attempts to move laterally, escalate privileges, and reach critical systems and data. It's the most realistic simulation of how modern attacks actually unfold, since most breaches today begin with a compromised credential rather than a technical exploit against an external-facing system. For clients who want to know how much damage an attacker could do once inside, assumed-breach testing is the most direct answer.