Home/Glossary/Penetration Testing

Penetration Testing

Authorized simulated cyberattacks against systems to identify security vulnerabilities before malicious actors exploit them.

Security TestingAlso called: "pentesting", "ethical hacking"

Penetration testing (pentesting) validates security controls through ethical hacking.

Types of pentests

  • Black box: No prior knowledge (simulates external attacker).
  • White box: Full knowledge of systems (comprehensive testing).
  • Gray box: Partial knowledge (simulates insider threat).

Testing phases

  1. Reconnaissance: Gather information about targets.
  2. Scanning: Identify open ports, services, vulnerabilities.
  3. Exploitation: Attempt to gain access.
  4. Post-exploitation: Determine impact, lateral movement.
  5. Reporting: Document findings and remediation.

Common targets

  • Web applications (OWASP Top 10).
  • Network infrastructure.
  • Wireless networks.
  • Physical security.
  • Social engineering.

Deliverables

  • Executive summary.
  • Technical findings with CVSS scores.
  • Proof-of-concept exploits.
  • Remediation recommendations.

Related Tools

Related Articles

View all articles
Database Inference & Aggregation Attacks: The Complete Defense Guide

Database Inference & Aggregation Attacks: The Complete Defense Guide

Learn how inference and aggregation attacks exploit aggregate queries and combined data to reveal protected information, and discover proven countermeasures including differential privacy, polyinstantiation, and query restriction controls.

Read article →
Physical Security & CPTED: The Complete Guide to Protecting Facilities, Data Centers, and Critical Assets

Physical Security & CPTED: The Complete Guide to Protecting Facilities, Data Centers, and Critical Assets

A comprehensive guide to physical security covering CPTED principles, security zones, access control, fire suppression, and environmental controls for protecting facilities and data centers.

Read article →
Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Master threat modeling with STRIDE and DREAD frameworks to identify, classify, and prioritize security threats before they become vulnerabilities. This comprehensive guide covers data flow diagrams, mitigation mappings, MITRE ATT&CK integration, and building an enterprise threat modeling program.

Read article →
Cloud Penetration Testing: A Complete Guide for AWS, Azure, and GCP

Cloud Penetration Testing: A Complete Guide for AWS, Azure, and GCP

Cloud penetration testing requires different approaches than traditional network testing. Learn cloud provider policies, testing methodologies, and common findings across AWS, Azure, and GCP environments.

Read article →
Back to glossary