A penetration test (commonly called a pentest) is a purposeful attack on an organization’s IT systems, network and computer systems that discover information security weaknesses while attempting to gain authorized access to the enterprise’s resources and data.This process typically identifies the target systems with particular objectives—the testers review available information utilizing “rules of engagement” and undertake various means to attain established penetration goals.


A penetration test target may be a white box (system owner provides background and system information) or black box (system owner provides only basic or no information except the company name). A penetration test can help determine whether a system is vulnerable to internal or external attack, if the business defenses presented are sufficient, and which defenses (if any) the test defeated.  A comprehensive, formal report is always provided to management.


Penetration test reports assess potential impacts to the organization and suggest countermeasures to reduce risk. 


The goals of penetration tests are:

  • Determine feasibility of a particular set of attack vectors

  • Identify high-risk vulnerabilities from a combination of lower-risk vulnerabilities exploited in a particular sequence

  • Identify vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software and platforms

  • Assess the magnitude of potential business and operational impacts of successful attacks

  • Test the ability of network defenders to detect and respond to attacks

  • Provide evidence to support increased investments in security personnel and technology


Penetration tests are commonly a component of a full security assessment/audit but many organization use the process for a health check on security controls implemented or to meet regulatory/compliance requirements. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires penetration testing on a regular schedule, and after system changes.


In information security, what is the difference between a vulnerability assessment and a penetration test? A penetration test is a vulnerability assessment with the addition of exploitation attempts and manual investigation. A penetration test is not a subset of a vulnerability test, it is an addition to it and has the following benefits:


  1. Invokes Corrective Action and Counter-Measures

  2. Helps Organizations Understand Business Impact

  3. Identifies False Positives

  4. Measures Defensive Response


An exploitation may show an uncomfortable level of exposure but be perfectly harmless. Because it is uncomfortable and tangible, it helps organizations understand the impact and inspires prompt corrective action and prioritization of counter-measures. A penetration test provides further perspective on how the existence of lower severity vulnerabilities can, in combination, result in a high-risk vulnerabilities. Penetration tests also help rule out false positives; a reported vulnerability that is not truly a vulnerability.


A properly conducted penetration test has the added benefit of measuring the defensive response of the organization. Is the organization able to detect the intrusion and better yet, block it through a secondary defense?Another function of a penetration test defines it as a “goal-oriented” attack, i.e., in this scenario the tester has a target such as a specific file to access or administrative privileges to gain within the network, system or enterprise. This Pentest does not provide a comprehensive list of vulnerabilities, it only seeks to find and exploit one or a few specific vulnerabilities, dictated specifically by the client, in order to obtain the goal.