CyberGlossary

Defense & Operations

Penetration Testing

Also known as: Pentest, Ethical hacking, Offensive security testing

Definition

An authorized, simulated cyberattack against systems, applications, or people to identify exploitable weaknesses before real adversaries do.

Penetration testing ("pentesting") is a goal-driven security assessment in which qualified testers attempt to breach an organization's defenses using the same tools and techniques as real attackers. Engagements have a defined scope, rules of engagement, and authorization, and can target networks, web and mobile applications, cloud workloads, APIs, physical sites, or people via social engineering. Unlike automated scanning, pentests prove exploitability by chaining findings to demonstrate business impact such as data exfiltration or domain compromise. Results feed remediation, validate the effectiveness of existing controls, and support compliance with PCI DSS, HIPAA, ISO 27001, and similar frameworks.

Examples

  • An external network pentest that gains initial access via an exposed VPN appliance and pivots to domain admin.
  • A web application pentest that chains an IDOR with a stored XSS to take over administrator accounts.

Related terms