A question frequently arises in conversations with enterprise clients: “If the actions performed by penetration testing professionals technically resemble a cyberattack, how is this service considered legal?” This question points to one of the fundamental paradoxes of the cybersecurity industry.
Indeed, the tools, methods, and techniques used by a penetration tester and a cybercriminal are largely the same. Both search for system vulnerabilities, attempt to bypass security controls, and exploit weaknesses. Yet despite this technical similarity, there is one element that completely transforms the outcome: authorization.
In this article, we examine the legal distinction between authorized penetration testing and cybercrime from the perspective of Turkish criminal law, and explain why procuring professional security services is not merely a technical necessity but a legal imperative.
Technical Similarity, Legal Chasm
Consider a surgeon in an operating room and an assailant on the street. Both use sharp instruments, intervene in tissue, and create a physical impact. Yet one’s actions are recognized as medical intervention while the other’s constitute a crime. The difference is clear: consent and legitimate purpose.
The situation in cybersecurity is analogous. A penetration testing professional applies techniques such as SQL injection on authorized systems, identifies security vulnerabilities, and reports findings. A cybercriminal employs the same techniques. The critical point of distinction is this: one operates with the explicit written consent of the system owner, while the other gains access without authorization and in violation of the law.
Turkish Penal Code Article 243: The Legal Framework
Article 243 of the Turkish Penal Code explicitly defines unauthorized access to information systems as a crime: “Any person who unlawfully enters into all or part of an information system or who continues to remain there shall be sentenced to imprisonment for a term of up to one year or imposed a judicial fine.”
The decisive phrase in this provision is the concept of “unlawfully.” The law does not criminalize the act of system access itself, but rather whether that access is unauthorized. In other words, when the system owner’s consent and authorization exist, the same technical action ceases to be a crime and becomes a legitimate security audit.
The Distinction Through Real Cases
Two actual cases concretely illustrate this distinction. In 2022, a software developer operating in Istanbul gained unauthorized access to an e-commerce platform in order to report a security vulnerability he had identified. Despite asserting good intentions, the company filed a complaint and the individual was prosecuted under Article 243 of the Turkish Penal Code. The court determined the action to be criminal due to the absence of written authorization.
During the same period, a professional penetration testing firm conducted testing on a similar e-commerce platform under contract. The same vulnerabilities were identified and similar techniques were employed. However, in this instance, signed service agreements and authorization documents existed, therefore no unlawful conduct occurred. The result: the technical actions were identical, the legal consequences entirely different.
The Legal Function of Contracts
Service agreements and authorization documents executed in the context of penetration testing are not merely commercial formalities, as often assumed. These documents are fundamental elements that directly determine the legal legitimacy of the work.
Consent of the Interested Party (Grounds for Lawfulness)
Turkish criminal law recognizes “grounds for lawfulness”—conditions under which an act that would normally constitute a crime becomes lawful under specific circumstances. The consent of the interested party is one such ground. Consequently, the written consent of the system owner removes the access operations performed by penetration testing professionals from the realm of unlawful conduct and transforms them into a lawful audit activity.
Definition of Scope and Establishment of Boundaries
The IP addresses, domains, applications, and network components specified in the contract clearly define the area within which authorization is valid. Exceeding these boundaries can create serious legal risks even for the service provider. For instance, accessing a third-party cloud service used by the client during testing could constitute unauthorized access from that service provider’s perspective. Professional practice therefore involves identifying such risks in advance and excluding them from scope.
Liability and Accountability
An institutional service agreement ensures that all operations are documented, that the responsibilities of the parties are clearly defined, and that there is a clear counterparty in potential legal proceedings. This assurance is not possible with individual, informal arrangements.
Scope Discipline: The True Measure of Professionalism
For a cybercriminal, there are no boundaries. Every accessible point is exploited, lateral movement between systems is attempted, and data collection proceeds without control. The approach of a professional penetration testing firm is the exact opposite: remaining strictly within defined boundaries.
Why is scope so critical? Modern organizations make intensive use of cloud services, SaaS applications, and partner infrastructure. Ownership of these systems often does not belong to the organization. Testing that exceeds scope can inadvertently constitute unauthorized access to another entity’s information systems. This situation carries critical importance both in terms of third-party obligations and the preservation of legal legitimacy.
Violation of established boundaries can eliminate the lawful foundation of the work performed. This creates risks both in terms of criminal liability and claims for damages. Furthermore, which systems will be tested, during which hours work will be conducted, and how critical infrastructure will be protected are all predetermined through contract. This approach enhances testing effectiveness while preserving business continuity.
The True Cost of Undocumented Services
Procuring penetration testing services from non-institutional sources due to cost or speed concerns often leads to unforeseen consequences. A real case from Ankara in 2023 concretely demonstrates this situation.
A mid-sized software company worked informally with an acquaintance described as a “cybersecurity enthusiast” due to budget constraints. The individual tested the system, delivered a report, and the process was completed. Three months later, the company’s customer database appeared for sale on the dark web. The individual could not be reached. Because no contract, NDA, or legal documentation existed, liability could not be established.
The consequences were severe: an administrative fine of 500,000 TL under the Personal Data Protection Law (KVKK), compensation obligations arising from customer lawsuits, serious reputational damage, and customer attrition. Company operations came to a near standstill. Total cost reached approximately 2.5 million TL. The approach initially viewed as cost savings brought the company to the brink of extinction.
Assurances Provided by Professional Services
Working with an institutional penetration testing firm does not merely mean receiving a technical report; it also provides comprehensive legal and operational assurance. Documentation and traceability of all testing steps, service agreements, NDAs and corporate entity guarantees, reporting compliant with regulations such as ISO 27001, PCI DSS, and KVKK—these deliverables possess the quality of evidence usable in audits, insurance claims, and legal proceedings. Additionally, continuity, references, and professional accountability are integral components of institutional service.
Conclusion: Security Is as Much a Legal Matter as a Technical One
Conducting penetration testing is not solely about finding vulnerabilities in systems. It is simultaneously about managing institutional legal risks, ensuring regulatory compliance, being able to demonstrate due diligence in the event of a breach, and protecting reputation and business continuity.
Therefore, the real question should not be “Should we conduct penetration testing?” but rather “From whom and within what legal framework are we obtaining this service?” Two options may appear technically similar: one can expose you to serious legal risks, while the other provides protection against those risks. The difference often lies in a single signature. And that signature can determine your organization’s future.
References
- Turkish Penal Code (Law No. 5237), Article 243 – Entering into an Information System
- Turkish Penal Code (Law No. 5237), Article 26 – Exercise of a Right and Consent of the Interested Party
- Personal Data Protection Law (KVKK) – Law No. 6698
- ISO/IEC 27001:2013 – Information Security Management System
- ISO/IEC 27002 – Information Security Controls
- Payment Card Industry Data Security Standard (PCI DSS) v4.0
- NIST Special Publication 800-115 – Technical Guide to Information Security Testing and Assessment
- ENISA – Penetration Testing Guidelines
- OWASP Penetration Testing Guide