Penetration Testing Examples: Real-World Scenarios That Expose
Posted: March 5, 2026 to Cybersecurity.
What Penetration Testing Really Looks Like
Most businesses understand that penetration testing is important, but few understand what it actually involves. The term conjures images of hooded hackers in dark rooms, but professional penetration testing is a methodical, documented process that simulates real-world attacks to identify vulnerabilities before malicious actors exploit them.
In this article, we share real-world penetration testing examples — anonymized but based on actual engagements — to illustrate the types of vulnerabilities that professional pen testers find, how they exploit them, and what businesses can do to remediate them. Understanding these examples helps demystify the process and demonstrates why regular penetration testing is essential for any organization that takes security seriously.
At Petronella Technology Group, we have conducted penetration tests for organizations across healthcare, defense contracting, financial services, and technology. These examples reflect the patterns we see repeatedly in the field.
Example 1: The Unpatched VPN Gateway
The Scenario
A mid-sized professional services firm with 150 employees engaged PTG for an external penetration test. The firm had recently passed a compliance audit and believed their perimeter security was solid.
What We Found
During reconnaissance, our team identified a VPN concentrator running firmware that was three major versions behind the current release. This particular firmware version had a known critical vulnerability (CVSSv3 9.8) that allowed unauthenticated remote code execution. The vulnerability had been publicly disclosed for over 18 months, and exploit code was readily available.
The Exploitation
Using the publicly available exploit, our team gained administrative access to the VPN gateway within minutes. From there, we pivoted into the internal network, where we discovered flat network architecture with no segmentation. Within two hours, we had domain administrator credentials and access to file shares containing client financial data, employee records, and proprietary business documents.
The Lesson
Patch management is not optional. This organization had a compliance checklist that included "maintain current patches," but no one was actually verifying that patches were applied to all devices — especially network infrastructure devices like VPN gateways, firewalls, and switches. A single unpatched device was the entry point for a complete network compromise.
Remediation
- Immediate firmware update on the VPN gateway
- Implementation of automated vulnerability scanning for all network devices
- Network segmentation to limit lateral movement
- Privileged access management to protect domain admin credentials
Example 2: Social Engineering Through Phishing
The Scenario
A healthcare organization with 300 employees requested a combined technical and social engineering penetration test. The organization had implemented email filtering and recently completed security awareness training.
What We Found
Our team crafted a targeted phishing campaign impersonating the organization's electronic health records (EHR) vendor. The email informed recipients of a "critical security update" that required them to log in to verify their credentials. The phishing page was a pixel-perfect replica of the EHR login portal hosted on a look-alike domain.
The Results
Despite the organization's security awareness training, 23% of employees clicked the link, and 11% entered their credentials. Among those who submitted credentials, three were clinical staff with access to patient records, and one was an IT administrator with elevated privileges.
Using the IT administrator's credentials, our team accessed the organization's Active Directory, internal applications, and network file shares. We demonstrated the ability to access protected health information (PHI) for thousands of patients.
The Lesson
Security awareness training is necessary but insufficient on its own. Organizations need multiple layers of defense: email filtering, multi-factor authentication (MFA), conditional access policies, and anomalous login detection. The IT administrator account that was compromised did not have MFA enabled — a single control that would have prevented the entire attack chain from succeeding.
Remediation
- Mandatory MFA for all accounts, especially privileged accounts
- Enhanced email filtering with look-alike domain detection
- Conditional access policies restricting logins from unusual locations
- Ongoing phishing simulations (quarterly, not annual)
- HIPAA security risk assessment update
Example 3: Misconfigured Cloud Permissions
The Scenario
A SaaS company with a cloud-native architecture on AWS engaged PTG for a cloud penetration test. The company was preparing for SOC 2 Type II certification and wanted to validate their cloud security controls.
What We Found
Through enumeration of the company's AWS environment, we discovered an S3 bucket with public read access that contained application logs. These logs included detailed error messages with database connection strings, API keys, and internal service URLs.
The Exploitation
Using the exposed database connection string, we connected to an RDS instance that was accessible from the internet (another misconfiguration). The database contained customer data, billing information, and application secrets. We also used the exposed API keys to access internal services that provided additional access paths into the production environment.
The Lesson
Cloud misconfigurations are the number one cause of cloud security breaches. Default settings, overly permissive IAM policies, and publicly accessible storage are endemic in cloud environments that were built quickly without security review. This company's developers had prioritized speed over security, and the accumulated technical debt created a critical exposure.
Remediation
- Removal of public access from all S3 buckets
- Rotation of all exposed credentials and API keys
- Network isolation of the RDS instance within private subnets
- Implementation of AWS Config rules to detect and alert on misconfigurations
- CloudTrail logging and monitoring for all API activity
Example 4: Physical Security and Internal Network Access
The Scenario
A financial services firm requested a comprehensive penetration test that included physical security testing. The firm wanted to understand whether an attacker who gained physical access to their office could compromise their network.
What We Found
Our tester gained access to the building by tailgating an employee through a badge-controlled door during the morning rush. Once inside, the tester found an unoccupied conference room with an active Ethernet port. Plugging a small network device into the port provided full internal network access.
The Exploitation
The internal network had no network access control (NAC) — any device plugged into an Ethernet port received a valid IP address and full network access. From this position, our tester identified and exploited a vulnerability in an internal web application that provided access to customer account data and financial records.
The Lesson
Physical security is cybersecurity. Organizations that invest heavily in firewalls and endpoint protection but neglect physical access controls leave themselves vulnerable to low-tech attacks. Network access control, visitor management procedures, and security cameras are all part of a comprehensive security program.
Remediation
- Implementation of 802.1X network access control
- Disabling unused network ports
- Enhanced visitor management and escort policies
- Security camera coverage in common areas
- Employee training on tailgating awareness
Example 5: Wireless Network Exploitation
The Scenario
A law firm engaged PTG for a wireless penetration test after a neighboring business reported suspicious network activity.
What We Found
The firm's guest wireless network and corporate wireless network shared the same physical access points but were supposed to be isolated through VLAN segmentation. Our testing revealed that the VLAN configuration was incomplete — traffic from the guest network could reach the corporate VLAN through a misconfigured switch port.
The Exploitation
By connecting to the open guest network from the parking lot, our team was able to reach internal systems that should have been isolated. This included a network-attached storage device containing client case files and a print server that logged all printed documents.
The Lesson
Wireless network segmentation must be verified, not assumed. Many organizations configure guest and corporate wireless networks but never validate that the segmentation is actually effective. Regular wireless penetration testing identifies these gaps before they are exploited.
Remediation
- Corrected VLAN configuration on all switch ports
- Implemented wireless intrusion detection
- Moved sensitive file shares behind additional authentication
- Quarterly wireless security assessments
Why Regular Penetration Testing Matters
These examples illustrate a critical truth: security is not a destination, it is a continuous process. Environments change, new systems are deployed, configurations drift, and new vulnerabilities are discovered. Regular penetration testing — at least annually, and after any significant infrastructure change — ensures that new vulnerabilities are identified and addressed before attackers find them.
Compliance frameworks including CMMC, HIPAA, PCI-DSS, and SOC 2 all require or strongly recommend regular penetration testing. But compliance is the floor, not the ceiling. Organizations that test regularly and remediate promptly are dramatically more resilient than those that test only when auditors require it.
Frequently Asked Questions
How often should my business conduct penetration testing?
At minimum, annually. However, you should also conduct penetration tests after major infrastructure changes (new applications, cloud migrations, office relocations), after security incidents, and as part of compliance audit preparation. High-risk environments may benefit from quarterly testing.
What is the difference between a vulnerability scan and a penetration test?
A vulnerability scan is an automated tool that identifies known vulnerabilities. A penetration test is a manual, expert-driven exercise that attempts to actually exploit vulnerabilities, chain them together, and demonstrate real-world impact. Vulnerability scans find potential problems; penetration tests prove which problems are actually exploitable and how far an attacker can get.
Will a penetration test disrupt my business operations?
Professional penetration tests are carefully scoped and controlled to minimize operational impact. Testing is typically conducted during agreed-upon windows, and testers coordinate closely with your team to avoid disrupting critical systems. At PTG, we maintain constant communication throughout the engagement and can pause testing immediately if any unexpected impact occurs.
What should I do with the penetration test report?
A penetration test report is only valuable if you act on its findings. Prioritize remediation of critical and high-severity findings immediately, address medium-severity findings within 30-90 days, and develop a plan for low-severity items. Schedule a retest after remediation to verify that fixes are effective. PTG provides remediation guidance and retesting as part of our penetration testing engagements.
Test Your Defenses Before Attackers Do
The organizations that suffer the worst breaches are the ones that assumed their security was adequate without testing it. Do not be that organization. Contact Petronella Technology Group to schedule a professional penetration test that will reveal your true security posture. Call 919-422-2607 or submit a request through our website.
