Pentest and vulnerability scans: what an SME must check yearly

What is a pentest and where does the scan differ?

A penetration test is an agreed, ethical hacking engagement: an external specialist tries with the same techniques as an attacker to enter your systems, extract data, or escalate privileges – within a firmly defined scope and with written authorisation. The result is a report with found vulnerabilities, reproduction steps, impact rating (CVSS) and recommendations.

A vulnerability scan is the automated variant: a tool like Nessus, OpenVAS, Trivy or nuclei scans your systems against a database of known vulnerabilities (CVE list). The tool runs in minutes to hours, delivers a list of hints, but without human evaluation of exploitability. A vulnerability scan finds the simple problems, the pentest finds the complex business-logic flaws.

The third building block is bug bounty: an openly advertised programme where external researchers report found vulnerabilities for a fee. HackerOne and Bugcrowd are the May-2026 standard platforms; Intigriti is the EU-resident alternative with Swiss clients. Bug bounty runs continuously, is cheap per finding (CHF 200 to CHF 5000), but requires ongoing triage capacity.

As of May 2026, Verizon DBIR and the ENISA Threat Landscape agree that web-application attacks are by far the largest vector. Anyone running a web app without external review will, statistically, suffer an exploited vulnerability in one year out of three.

Why it matters

Three anchors force regular external review. First, regulatory: revFADP / revDSG demands appropriate technical and organisational measures under Art. 8. "Appropriate" means state of the art – in May 2026, state of the art for applications with personal data is an annual pentest. Without that evidence the duty of care is hard to prove in a damage case.

Second, ISO 27001 and SOC 2: both standards require periodic pentests as a mandatory ISMS component. Anyone aiming for certification cannot avoid pentests. Cyber-damage insurance also increasingly requires pentests in May 2026 as a precondition – without proof the premium rises or the policy is denied.

Third, EU AI Act: anyone running an AI system with high risk (Art. 6, Annex III) must under Art. 15 demonstrate appropriate robustness, accuracy and cybersecurity. In May 2026 the EU AI Office published a concrete interpretation requiring annual red-team exercises for high-risk systems – including testing against the OWASP LLM Top 10.

Fourth, practical: a pentest typically uncovers 5 to 15 exploitable findings, of which 1 to 3 are critical. Anyone who knows them can patch them. Anyone who does not runs their application with the front door open. The damage on exploitation – data loss, extortion, reputation damage, regulatory sanctions – typically reaches five to six figures; the pentest sits at four to five. The maths is clear.

How a pentest and scan programme is built

An effective security review programme has three frequency layers.

Monthly automated scans: Trivy for container images in the CI/CD pipeline, OWASP ZAP or Nuclei against the web application, Nessus or OpenVAS against the network infrastructure. All three run automated via cron or GitHub Actions; the report goes into an issue tracking system. Effort per month: 1 to 4 hours triage.

Annual manual pentest: an external provider tests the application with a defined scope. The scope typically covers web app (all public endpoints plus authenticated areas), API (REST or GraphQL), authentication logic, RBAC separation, session management, file upload, data validation. Typical engagement length 5 to 15 person-days depending on application size. Price range May 2026: CHF 5000 for a small web app, CHF 15,000 to CHF 30,000 for a medium application with API, CHF 50,000+ for complex platforms.

On every major release: before every major version jump (new authentication, new data flows, new third-system integration) an additional pentest of the changed area. A classic mistake: the application is tested in March, in April a major release with new payment integration arrives – the security of the new integration was never reviewed.

OSS tools May 2026: nuclei (template-based, ProjectDiscovery, fast and good for CI/CD), Nikto (web-server scanner, old but effective), Burp Suite Community Edition (web-app testing, standard tool for manual testers), OWASP ZAP (free Burp alternative with good API), Trivy (container and code scanning), sqlmap (SQL injection tester), Metasploit Framework (exploit database and test platform).

LLM-specific – OWASP LLM Top 10 v2.0: as of May 2026 the second edition of the OWASP LLM Top 10 is finalised. Main risks: (1) Prompt Injection (injected instructions from user inputs or external sources), (2) Insecure Output Handling (model output embedded into shell, SQL, JS without check), (3) Training Data Poisoning (contaminated training or embedding data), (4) Model Denial of Service (long or recursive prompts), (5) Supply Chain Vulnerabilities (compromised model weights, bad tokenisers), (6) Sensitive Information Disclosure (model reveals training content), (7) Insecure Plugin Design, (8) Excessive Agency (model has too-wide tool rights), (9) Overreliance, (10) Model Theft. Every LLM application with customer contact should be tested systematically against these 10 categories.

Swiss providers: Compass Security in Bern and Rapperswil is the best-known pentest provider in May 2026 with OSCP/OSCE-certified testers. scip AG in Zurich is the second large name with long experience. Oneconsult in Thalwil and Bern is also established. Hacknowledge in Pully (Vaud) is the Romandie address. For SMEs with smaller budgets: ProtonMail-CTF veterans or freelancers via HackerOne. For sensitive mandates (law firms, fiduciary with bank clients) the premium for an established Swiss provider pays off due to confidentiality agreements and Swiss jurisdiction.

Pentest programme in 5 steps

1. 01Scope and threat model: which components go into the test (web, API, auth, RBAC, upload, LLM)? Which attacker types are simulated (anonymous, authenticated, insider)?
2. 02Choose provider: Compass Security, scip AG, Oneconsult for established Swiss addresses with OSCP/OSCE certification; HackerOne freelancers for smaller budgets. Write an NDA and a letter of authorisation.
3. 03Test execution: 5 to 15 person-days depending on scope. Regular status updates, immediate escalation on critical findings (data leak, privilege escalation).
4. 04Fix sprint: set deadlines per severity class. Critical within 7 days, high within 30 days, medium within 90 days, low in the next release cycle.
5. 05Re-test and documentation: after the fix sprint verify findings, file report and re-test in the duty-of-care record, schedule the next annual date, document OWASP Top 10 coverage.

When which review is appropriate

Three trigger categories for a full annual pentest: first regulatory-forced – ISO 27001, SOC 2, PCI-DSS, EU AI Act for high-risk. Second business-critical – an application whose outage or data breach causes six-figure damage. Third externally demanded – insurer or large client requires evidence.

For all other web applications processing personal data, at least an annual scan plus bug bounty is appropriate. For a 5-person fiduciary with its own client app: one-time initial pentest at go-live (CHF 8000 to CHF 15,000), then automated monthly scans and a shortened re-test every 2 to 3 years.

LLM applications in May 2026 additionally need a specific LLM pentest. A classic web-app pentest does not cover LLM risks – it tests HTTP endpoints, not prompt injection or model theft. As of May 2026, providers like Compass Security and scip AG offer their first LLM pentest packages, typically CHF 8000 to CHF 20,000 for a RAG-based application with OpenAI or Anthropic backend.

For small hobby or learning projects without client data a one-time ZAP scan and an OWASP cheat-sheet review is enough. The effort of a full pentest is not justified here – but as soon as real customer data is processed, the fiduciary standard applies.

Where reviews become theatre

First: pentest without fix budget. Anyone commissioning a test without planning resources to remediate findings has wasted the money. A pentest report with 15 unclosed findings sitting on the desk for 6 months is even harmful in a damage case – you knew the gaps and did nothing, which sharpens intent.

Second: scan without triage. An automated scanner easily produces 200 to 500 findings, 80 percent of them false positives or low severity. Anyone selling that unfiltered as "we have security" runs compliance theatre. Triage must be done by a person with web-app security knowledge separating real risks from noise.

Third: pentest with too narrow scope. A test that only checks "the login page" says nothing about RBAC separation, API security or file upload. The scope must cover the whole attack surface; anyone testing only "the main page" buys a label.

Fourth: repeat tests with the same firm without provider rotation. Testers have blind spots – what they did not find the first time they will not find the third time. Switching provider every 3 to 4 years uncovers different classes of findings.

Fifth: bug bounty without triage capacity. Anyone opening a bug bounty programme without daily report sifting capability gets a mountain of spam and delayed answers – that hurts the reputation in the security community, which spreads it.

Trade-offs

FAQ

Related topics

Sources

1. OWASP Top 10 for Large Language Model Applications v2.0 · 2026-04
2. OWASP Web Security Testing Guide v4.2 · 2026-03
3. NIST SP 800-115 – Technical Guide to Information Security Testing and Assessment · 2026-02
4. ENISA – Threat Landscape 2026 · 2026-04
5. Verizon Data Breach Investigations Report 2026 · 2026-04
6. Compass Security – Penetration Testing service overview · 2026-05
7. scip AG – Security Testing reference · 2026-05