Penetration Testing
What is Penetration Testing?
Penetration TestingAn authorized, simulated cyberattack against systems, applications, or people to identify exploitable weaknesses before real adversaries do.
Penetration testing ("pentesting") is a goal-driven security assessment in which qualified testers attempt to breach an organization's defenses using the same tools and techniques as real attackers. Engagements have a defined scope, rules of engagement, and authorization, and can target networks, web and mobile applications, cloud workloads, APIs, physical sites, or people via social engineering. Unlike automated scanning, pentests prove exploitability by chaining findings to demonstrate business impact such as data exfiltration or domain compromise. Results feed remediation, validate the effectiveness of existing controls, and support compliance with PCI DSS, HIPAA, ISO 27001, and similar frameworks.
● Examples
- 01
An external network pentest that gains initial access via an exposed VPN appliance and pivots to domain admin.
- 02
A web application pentest that chains an IDOR with a stored XSS to take over administrator accounts.
● Frequently asked questions
What is Penetration Testing?
An authorized, simulated cyberattack against systems, applications, or people to identify exploitable weaknesses before real adversaries do. It belongs to the Defense & Operations category of cybersecurity.
What does Penetration Testing mean?
An authorized, simulated cyberattack against systems, applications, or people to identify exploitable weaknesses before real adversaries do.
How do you defend against Penetration Testing?
Defences for Penetration Testing typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Penetration Testing?
Common alternative names include: Pentest, Ethical hacking, Offensive security testing.