In Morocco, a penetration test is rarely a spontaneous initiative. It is triggered by a client security questionnaire, an ISO 27001 or SOC 2 evidence cycle, a cyber-insurer requirement, the DGSSI reference frameworks, or a doubt after an incident. The demand arrives — but a question remains: what does a penetration test actually produce, and how does it run?
This guide answers that — what a penetration test (or pentest) is, how it differs from an audit, its types, its methodology, its process, its cost and its frequency. If instead you want to know how to choose a provider, our buyer guide covers that in detail; here, we explain the discipline itself.
What is a penetration test (pentest)?
In one sentence: a penetration test is a simulated, authorized attack on your information system, run by practitioners, to demonstrate concretely how an attacker would reach what matters — and what to fix first.
The key word is demonstrate. A penetration test does not produce a theoretical list of flaws: it establishes a reproducible attack path, with evidence, from an entry point to a real business impact (access to data, takeover, possible fraud). “Pentest” is simply the short form of “penetration test”; both mean the same thing. The value is not the number of vulnerabilities found, but the clarity on the risk that is actually exploitable.
Penetration test or security audit: what is the difference?
Direct answer: an audit checks that measures exist; a penetration test checks that they hold against an attack.
A security audit assesses your compliance with a framework or a control checklist — it looks at whether a policy, a patch or a configuration is in place. A penetration test takes the attacker’s point of view: it tries to bypass those measures and demonstrates what gives way. The two are complementary — an audit maps broadly, a test proves in depth — and many Moroccan organizations need both at different moments. If your question is “where do we stand overall?”, a security assessment is the right starting point; if it is “does this specific surface hold?”, it is a penetration test.
What are the types of penetration testing?
Direct answer: the type is chosen by the surface to test and the realistic attack scenario.
- External. What an attacker reaches from the internet: websites, exposed services, VPN, email.
- Internal. What an attacker — or a malicious employee — does once inside the network: lateral movement, privilege escalation.
- Web application and API. Application flaws (authentication, business logic, injection) per the OWASP WSTG and the API Security Top 10.
- Cloud. Identities, permissions and misconfigurations on AWS, Azure or GCP, which often chain into real impact.
- Social engineering. The human factor (phishing, pretexting) — usually within the broader scope of a red teaming engagement.
Red teaming is a category of its own: an objective-driven engagement that combines these surfaces to test your detection and response, rather than a bounded-scope test.
Black, grey or white box?
Direct answer: the difference is the information given to the tester at the start — and each has its use.
In black box, the tester starts with no prior knowledge, like an external attacker. In grey box, they have limited access or credentials, simulating a user or partner — usually the best coverage-to-cost ratio. In white box, they receive full access (code, architecture, configurations) for the deepest coverage. The right choice depends on your goal: simulate an outsider, or find the most flaws in a given time.
How does a penetration test work?
Direct answer: a serious engagement follows a recognized methodology — PTES, MITRE ATT&CK, OWASP — in several stages, from scoping to retest.
- Scoping and rules of engagement. The perimeter, objectives, test windows and written authorizations are defined. Nothing starts without them.
- Reconnaissance. Gathering information on the attack surface, exposed and internal.
- Mapping. Identifying services, technologies and potential entry points.
- Exploitation. Actually attempting to compromise the identified flaws — this is what separates a test from a mere scan.
- Post-exploitation. Once inside, how far does it go? Movement, access to data, demonstration of business impact.
- Reporting. Reproducible findings, severity scored with CVSS and read in business impact, and a prioritized action plan.
- Retest. Verifying that the recommended fixes actually hold — there is no closure without a retest.
An automated scanner stops at stage 3. A penetration test goes all the way, by hand, because it is exploitation and post-exploitation that reveal the real risk.
How much does a penetration test cost in Morocco?
Direct answer: the price depends on the scope and the depth, and any figure quoted without scoping is a guess.
The factors that actually move the cost: the size of the surface (one application, or a whole information system), the type of test (a focused web test is not a full internal one), the box level (black/grey/white), and whether a retest is included. Be wary of a bargain price: it often signals a scan dressed up as a penetration test, billed per vulnerability rather than per demonstrated attack path.
At HackingByte, an engagement is scoped as a fixed fee, in a range communicated during the scoping call — no opaque day rate, no quote before we understand your scope. It is the honest answer to the “penetration testing cost” search: the range is set after scoping.
How often should you run a penetration test?
Direct answer: at least once a year, and after every major change.
The practical rule: an annual test for the assets that carry the risk, plus a test at every significant change (new application, architecture redesign, cloud migration) and whenever an external requirement imposes it — client questionnaire, ISO 27001 or SOC 2 cycle, cyber-insurance renewal. Between tests, continuous monitoring covers the blind spot: a test is a snapshot at a point in time, not a permanent guarantee.
What a good penetration test must produce
Direct answer: three connected deliverables — a technical report, an executive risk brief and a prioritized action plan — and proof of each finding, not a scanner export.
We detail the quality signals to demand from a provider in our penetration testing buyer guide. The essentials: demand proof (reproduction steps), prioritization by business impact rather than raw score, and a retest of the fixes.
The Moroccan context
Several frameworks make a penetration test unavoidable in Morocco: the requirements of clients and European partners, compliance cycles (ISO 27001, SOC 2), and the DGSSI reference frameworks under Law 05-20 for the entities in scope. An important point of honesty: the regulatory audits of the sensitive information systems of vital infrastructure are reserved for DGSSI-qualified providers — HackingByte does not hold that qualification and claims none. Our place is upstream and around it: testing your defenses with a penetration test run to international standards, and producing evidence that holds. The DGSSI/DNSSI framework is detailed in our Law 05-20 guide.
Where to start
If a requirement has landed — a client questionnaire, a scheduled audit, a doubt after an incident — the first step is a scoping call: it sets the perimeter, the test type and a range before any commitment. Our penetration testing in Morocco service details the engagement.
Request a scoping call · See penetration testing
Frequently asked questions
What is a penetration test?
A simulated, authorized attack on your information system, run by practitioners, that demonstrates — with evidence — how an attacker would reach what matters and what to fix first. “Pentest” is its short form.
What is the difference between an audit and a penetration test?
An audit checks that measures exist (compliance with a framework); a penetration test checks that they hold against a real attack. The two are complementary.
What are the types of penetration testing?
External, internal, web application and API, cloud, and social engineering — chosen by the surface to test. Red teaming is an objective-driven engagement that combines them to test detection and response.
What is the difference between black, grey and white box?
The amount of information given to the tester at the start: none (black box, like an external attacker), limited access (grey box), or full access to code and architecture (white box).
How much does a penetration test cost in Morocco?
It depends on the scope, the test type and the depth. We scope as a fixed fee, in a range communicated after the scoping call — a very low price often signals a simple scan billed as a test.
How often should you run a penetration test?
At least once a year for the assets that carry the risk, and after every major change (new application, redesign, cloud migration) or external requirement (client questionnaire, ISO/SOC 2 cycle, insurance).
Is a vulnerability scanner enough?
No. A scanner identifies potential flaws; a penetration test exploits them to demonstrate the real attack path and business impact. The scan is useful as a complement, not a replacement.
Related services
- Penetration testing (pentest) — external, internal, web and API, senior-led, evidence in hand.
- Red teaming and attack simulation — for mature programs: detection and response put to the test.
- Security assessments — the structured state of play, ahead of a targeted test.
Read also: Penetration testing buyer guide. Operating in Morocco? See how we work: Cybersecurity in Morocco.