Penetration Testing

A penetration test (pentest) is an authorised and controlled simulation of a cyberattack, carried out by security experts to identify exploitable vulnerabilities before a real attacker finds them. A pentest provides a realistic picture of an organisation's actual security posture.

Back to Dictionary

What is a penetration test?

A penetration test is a structured security review in which specialised security experts (penetration testers or "ethical hackers") attempt, with permission, to compromise an organisation's systems in the same ways a real attacker would. The goal is to find and document exploitable security weaknesses before they are exploited by criminals.

Penetration testing differs from vulnerability scanning by including manual analysis, creative attack thinking and actual exploitation of vulnerabilities, rather than merely automated detection.

Types of penetration test

Penetration tests are classified by scope and the information given to the tester:

Black-box: The tester has no prior information about the system, simulating an external attack from an unknown attacker.
White-box: The tester has full information about systems, source code and infrastructure, providing the most thorough test.
Grey-box: Partial information is given, simulating, for example, an attack by a privileged insider.

Penetration tests can target: external networks, internal networks, web applications, APIs, mobile apps, physical security and social engineering.

The testing process

A typical penetration test follows five phases:

Reconnaissance: Information gathering about the target, including publicly available data, network ranges and technology stacks.
Scanning and enumeration: Mapping the attack surface by identifying open ports, services, versions and potential entry points.
Exploitation: Actively exploiting identified vulnerabilities to gain access or escalate privileges.
Post-exploitation: Assessing the consequences of successful exploitation, including lateral movement and data access.
Reporting: Documenting all findings with clear, prioritised recommendations for remediation.

The report is the deliverable: A penetration test is only valuable if the findings are translated into concrete improvements. Ensure the report contains clear, prioritised recommendations, and that remediation is tracked and verified.

When is penetration testing a requirement?

Penetration testing is explicitly required or strongly recommended under several frameworks:

CIS Controls: Control 18 (Penetration Testing) is an IG3 control requiring regular penetration tests.
DORA: Financial entities must conduct threat-led penetration testing (TLPT) under the TIBER-EU framework.
PCI DSS: Requirement 11.3 mandates penetration testing for organisations handling payment card data.
NIS2: Indirectly required through obligations for risk assessment and security testing.
ISO 27001: Not explicitly required, but widely considered best practice and often part of Annex A control implementation.

Frequently Asked Questions about Penetration Testing

What is a penetration test?

A penetration test is an authorised simulation of a cyberattack carried out by security experts to identify exploitable vulnerabilities in an organisation's systems. It provides a realistic picture of the actual security posture.

What is the difference between a penetration test and a vulnerability scan?

A vulnerability scan is an automated process that identifies known vulnerabilities. A penetration test goes further by including manual analysis, creative attack techniques and actual exploitation to determine whether vulnerabilities can be used to gain access or cause harm.

How often should penetration tests be conducted?

Best practice is to conduct penetration tests at least annually and after significant changes to infrastructure or applications. Some regulatory frameworks such as PCI DSS and DORA specify minimum frequencies.

What are black-box, white-box and grey-box testing?

Black-box testing gives the tester no prior information, simulating an external attacker. White-box testing gives full information for the most thorough test. Grey-box testing provides partial information, simulating an insider or partially informed attacker.

Is penetration testing required under ISO 27001?

ISO 27001 does not explicitly require penetration testing, but it is widely considered best practice and is often implemented as part of Annex A controls for vulnerability management and security testing.