Penetration Testing: What It Is

Penetration testing is an offensive security exercise conducted by an organization with the intent to uncover security weaknesses and ultimately help strengthen their defense mechanisms, threat detection capabilities and response times. Traditionally, penetration testing is performed by an independent third-party with little to no upfront knowledge of their target organization. This is done to imitate an adversary who is targeting the organization with nefarious intent.



Penetration testing can be performed against something as small as a single tenant application and as large as a global enterprise network. Several methodologies frameworks standards and tools exist which are often motivated by or designed to satisfy a particular compliance or regulatory committee such as PCI and HIPAA.

Penetration Testing: What It Is Not

It is common throughout the information security industry to hear the term penetration testing used to describe a vulnerability assessment. These two types of engagements are quite different and their names should not be used interchangeably to describe one another. Here are a few important distinctions to keep in mind.

Penetration Testing Vulnerability Assessment Manually executed tests Automated scanning tools Emphasizes stealth infiltration Produces significant network traffic Accuracy is critical False positives are frequent Documentation is specific to compromise-able weaknesses Documentation is lengthy and focuses on best practices Used to test hardened organizations Considered a prerequisite for penetration testing Assessors exercise caution and precision Untuned scanners often break things

Vulnerability Assessment: Overview

During a vulnerability assessment some type of automated scanning engine is leveraged to sweep large IP Address ranges and identify live systems as well as the software version for all network-accessible applications being broadcasted. The software versions are then compared to a database of known/published vulnerabilities and attack vectors. Findings are scored using an agreed upon standard and severity ratings are applied based on business risks that should hopefully be tailored to the individual organization requesting the assessment. This type of activity is very important but should not at all be considered penetration testing.

Penetration Testing: Overview

During a penetration testing engagement an individual or group of individuals act as if they were in fact an adversary trying to compromise the integrity of their target organization. Penetration testers will take every precaution available to remain stealthy and undetected while executing tactical and targeted attack patterns observed in real-world corporate breaches. Skilled Penetration testing engineers are often hard to distinguish from real-world hackers other than the fact that they first obtain written permission before engaging their targets.

Penetration Testing: Documentation

The results of a successful penetration testing engagement should not produce a lengthy report containing hundreds or thousands of IP addresses with missing security patches and hot fixes. Instead, the report should contain a detailed narrative of attack vectors and identified entry points which resulted directly in some degree of network or application compromise. Penetration Testing findings focus on the systemic underlining problem and therefore recommendations are often not as simple as checking a box or enabling a property. An organization that is serious about penetration testing should expect to find architectural flaws in their network design and be prepared to reengineer systems and processes that may have existed within their operational structure for a significant period of time.

Penetration Testing: Related Content

Below are some of Pentest Geek’s articles related to various penetration testing activities and are intended for educational purposes as well as further supplementation to aid in defining the term.



