Penetrationtesting, also referred to as “pen testing” or “pentesting,” is a process through which an experienced hacker or team of hackers attempts to exploit the vulnerabilities of an organization’s networks, applications, endpoints (physical and digital), and human resources.
Pen tests are often confused with vulnerability scans, but a vulnerability scan is an automated scan of a company’s networks or applications, and doesn’t simulate all the ways a real-world attacker may try to exploit a target. While automated scans might be one component of a penetration test, the human aspect is a critical component which sets pen tests apart from automated scans.
The goal of a penetration test is to determine an organization’s security weaknesses so that the organization can then remediate problems before a real-world attacker exploits them. Pen tests are often conducted unbeknownst to internal security and operations teams so that testers can assess defenders’ actions and reactions, which are important aspects of combating threats.
Prior to beginning a penetration test, the testers should meet with key stakeholders to understand the organization’s goals and desired outcomes. Because it is impossible to “test everything” during one test, parameters should be agreed upon by all stakeholders ahead of time.
Penetration testers should supply a detailed report at the end of the test which also provides remediation suggestions rather than simply pointing out the vulnerabilities and/or weaknesses.
Get the DeMISTIfying InfoSec newsletter every Tuesday!