What is a penetration test?

What exactly is a penetration test?

A penetration test — commonly shortened to "pen test" — is an authorised, structured simulation of a real-world cyberattack. A qualified security professional (or team) is given permission to attempt to break into an organisation's systems, networks, or applications using the same tools and techniques a malicious attacker would use. The goal is to find and prove exploitable weaknesses before a real adversary does.

The critical word is prove. A penetration test is not a scanner report. Automated vulnerability scanners produce lists of theoretical weaknesses based on known CVE databases — they flag a door that might be unlockable. A pen test goes further: a human expert actively tries to unlock that door, walk through it, and demonstrate exactly what an attacker could access and steal if they succeeded. The output is a detailed report with findings, CVSS severity scores, full evidence, and concrete remediation guidance.

Scope is fundamental to every engagement. Before a single scan runs, the organisation and tester agree in writing on exactly which systems, IP ranges, applications, and attack methods are in bounds. Going out-of-scope — testing systems not listed in the agreement — is a serious contractual and legal breach, even with good intentions. A well-defined scope protects both parties and ensures the test remains focused on the highest-risk areas.

Black box, white box, and grey box

The three testing models reflect how much prior knowledge the tester is given. Each has legitimate use cases, and the right choice depends on what the organisation wants to learn.

• Black box: The tester is given zero information about the target — no credentials, no architecture diagrams, no internal documentation. This most accurately simulates an external attacker who has no insider knowledge. It's the most realistic model, but also the slowest: testers spend significant time doing reconnaissance that internal staff have already done. Best used for testing external-facing defences as a real attacker would see them.
• White box: The tester is given full access — credentials, source code, network diagrams, architecture documentation, and system configurations. This is the most thorough model because the tester can review every layer of the stack for weaknesses rather than guessing at architecture from the outside. It simulates an insider threat or a scenario where an attacker has already obtained significant internal access. It finds deeper, more complex flaws that a black-box test would miss in the available timeframe.
• Grey box: The tester is given partial information — perhaps a standard user account, a high-level network diagram, or knowledge of which technology stack is in use. This is the most common model for real-world engagements. It strikes a practical balance: it's realistic enough to simulate an attacker with some foothold (a compromised employee account, leaked credentials) while giving enough context to find architectural flaws efficiently.

What happens during a pen test?

Every professional engagement follows a structured sequence. The phases mirror the real attack lifecycle — which is exactly what makes pen testing effective as a defensive tool.

1. 1
   Kickoff & Scoping

   The tester and client agree on the rules of engagement: which systems are in scope, what attack methods are permitted, the engagement timeframe, and emergency escalation contacts if something goes wrong. A signed Statement of Work is mandatory before any testing begins.

2. 2
   Reconnaissance

   Intelligence gathering on the target — DNS records, IP ranges, employee names and roles via LinkedIn, technology stack fingerprinting, public code repositories, and job postings. Passive OSINT alone routinely reveals surprising amounts of exploitable information without touching a single target system.

3. 3
   Vulnerability Discovery

   Using tools like Nmap, Nessus, and Burp Suite to scan and enumerate the attack surface — open ports, running services, software versions, and known CVEs. The goal is a complete map of potential entry points before committing to any exploitation attempt.

4. 4
   Exploitation

   Actively attempting to leverage discovered vulnerabilities to gain unauthorised access. Tools like Metasploit are used to confirm whether a vulnerability is truly exploitable — not just theoretical. Every action is timestamped and logged as evidence. This is where vulnerabilities are proven, not assumed.

5. 5
   Post-Exploitation

   After gaining initial access, the tester explores what a real attacker could do next: lateral movement across the network, privilege escalation to administrative accounts, and access to sensitive data stores. This phase answers the critical question: "If they got in here, how far could they go?"

6. 6
   Reporting

   The deliverable that actually protects the organisation. Every finding is documented with CVSS severity scores, full proof-of-concept evidence, business impact analysis, and step-by-step remediation guidance. A well-written pen test report is a prioritised remediation roadmap, not just a vulnerability list.

Types of penetration tests

Pen testing is not a single, monolithic service. The type of test is chosen based on the threat model and the organisation's specific concerns:

• Network penetration test: The most common type. Tests external and internal network infrastructure for exploitable misconfigurations, unpatched services, and insecure protocols. Typically the starting point for organisations new to pen testing.
• Web application pen test: Focused on web applications and APIs. Tests for OWASP Top 10 vulnerabilities — SQL injection, cross-site scripting, broken authentication, insecure direct object references, and others. Essential for any organisation with customer-facing web applications.
• Social engineering / phishing simulation: Tests human defences rather than technical ones. A controlled phishing campaign is sent to employees to measure click and credential-submission rates. Often reveals far more risk than technical scans alone.
• Physical penetration test: Testers attempt to gain physical access to restricted facilities — server rooms, network closets, offices. Tests whether physical security controls (badge readers, tailgating controls, receptionist vigilance) actually work.
• Wireless pen test: Assesses Wi-Fi security — rogue access points, weak encryption (WEP/WPA), client isolation failures, and evil twin attacks. Particularly relevant for organisations with guest networks or BYOD policies.
• Red team exercise: The most comprehensive (and most expensive) form. A dedicated team uses any means available — technical, social, and physical — over an extended period, simulating a sophisticated targeted attack. The blue team defends without advance notice. Measures real-world detection and response capability rather than just finding vulnerabilities.

Why organisations need regular pen tests

Pen testing is no longer a nice-to-have for security-conscious organisations — it is increasingly a compliance requirement. PCI-DSS mandates annual pen tests for any business handling payment card data. ISO 27001 recommends them as a core element of an information security management system. Under GDPR, demonstrating active testing of security controls is considered best practice and can be a decisive factor in whether a regulator judges a breach as preventable.

Beyond compliance, there is the patch window problem. New vulnerabilities are published in the National Vulnerability Database at a rate that consistently outpaces the ability of most security teams to patch. The average time from CVE publication to mass exploitation in the wild is now under 18 days — but most organisations' patch cycles run on monthly or quarterly schedules. Regular pen testing, combined with vulnerability management, identifies which unpatched vulnerabilities are actually exploitable in the organisation's specific environment, allowing security teams to prioritise rationally rather than reactively.

Pen testing as a career

Penetration testing is one of the most in-demand and well-paid specialisations in cybersecurity. Organisations across every sector need skilled testers, and the talent pool is genuinely thin — the combination of broad technical knowledge (networking, web applications, operating systems, scripting) and the creative, adversarial thinking required to actually find exploitable weaknesses takes time to develop.

The CEH v13 certification from EC-Council provides the structured methodology that forms the foundation of professional pen testing practice. It covers the complete lifecycle across 20 modules — from reconnaissance and scanning through exploitation, post-exploitation, and reporting — with hands-on lab components that build practical skill rather than just theoretical knowledge. Many of the most successful penetration testers began their careers as SOC analysts or systems administrators, bringing deep knowledge of how defenders think before learning how attackers think.