Glossary · Security testing

What is Penetration Testing?

Also known as: Pen Testing, Pentest, Ethical Hacking

Penetration testing is an authorized, simulated attack carried out by skilled humans to find and exploit vulnerabilities in a system. It is point-in-time and creativity-driven, going beyond scanning to prove what an attacker could actually achieve. Many frameworks, including PCI DSS and SOC 2, expect periodic penetration testing.

Key takeaways

  • Penetration testing is an authorized human-led simulated attack that finds and exploits real vulnerabilities.
  • It is point-in-time and depends on tester creativity, so it surfaces issues automated tools miss.
  • Frameworks like PCI DSS and SOC 2 expect periodic penetration testing as evidence.
  • It complements continuous methods like BAS, which validate coverage between tests.

What is penetration testing?

Penetration testing is a controlled, authorized attempt to break into a system the way a real adversary would. A tester does not stop at identifying a weakness; they attempt to exploit it, chaining issues together to demonstrate concrete impact, such as reaching sensitive data or gaining administrative control.

The defining trait is human creativity. Automated tools find known patterns, but a skilled tester reasons about business logic, unusual configurations, and novel combinations of small flaws that scanners cannot connect. This is why pen testing remains the gold standard for proving real exploitability.

How a penetration test is conducted

Most engagements follow recognizable stages: scoping and rules of engagement, reconnaissance, vulnerability identification, exploitation, post-exploitation, and reporting. Scope is defined up front and authorization is explicit, which is what separates a pen test from a real attack.

During post-exploitation, testers often demonstrate privilege escalation and lateral movement, building a realistic attack path to show true blast radius rather than an isolated finding.

  • Scoping and explicit authorization (rules of engagement)
  • Reconnaissance and vulnerability identification
  • Exploitation and post-exploitation (escalation, pivoting)
  • Reporting with reproducible findings and remediation advice

Penetration testing for compliance, and how it pairs with BAS

Penetration testing is a recurring compliance expectation. PCI DSS requires periodic testing of in-scope environments, and SOC 2 programs commonly include it as evidence that security controls withstand realistic attacks.

Because a pen test is a snapshot, coverage can drift the day after the report is signed. Continuous breach and attack simulation fills that gap between engagements, repeatedly validating that controls still detect and block known techniques.

Frequently asked questions

How often should an organization run a penetration test?
Many frameworks expect testing at least annually and after significant changes to in-scope systems. PCI DSS specifically calls for periodic testing, and the cadence should reflect how often the environment changes.
What is the difference between a pen test and a vulnerability scan?
A vulnerability scan automatically flags known weaknesses. A penetration test goes further: a human attempts to exploit and chain those weaknesses to prove real-world impact, finding logic flaws scanners cannot.
Can BAS replace penetration testing?
No. BAS provides continuous, automated validation of known techniques, but it does not replace the creativity of a human tester who finds novel, business-logic, or chained vulnerabilities. The two are complementary.

Authoritative sources

← Back to the glossary