What Penetration Testing Is — and Is Not
A penetration test (pen test) is an authorised simulated attack on an organisation's systems, networks, or applications. The goal is to identify vulnerabilities that are actually exploitable — not just theoretically present — and determine what business impact a real attacker could achieve. A pen tester thinks and acts like an attacker within defined boundaries, documenting every step so the organisation can understand and address the real risks they face.
The critical distinction from vulnerability scanning: vulnerability scanning identifies weaknesses; penetration testing exploits them. A scan might report 200 vulnerabilities across your systems. A pen tester determines which of those 200 can actually be exploited given your specific environment, which can be combined into attack chains, and what a real attacker could ultimately access — database contents, Active Directory credentials, financial records. This actionable, evidence-based risk assessment is why penetration testing is required by PCI-DSS, SOC 2, and other compliance frameworks.
What pen testing is not: it is not hacking without permission. Every penetration test requires explicit written authorisation. Performing an unauthorised pen test — even on your own systems — creates serious legal exposure under computer fraud and abuse laws. Even with a signed contract, pen testers must stay within the defined scope — testing systems that weren't in scope is a scope violation that can terminate the engagement and create liability.
The Five Phases of Penetration Testing
Black Box, White Box, and Grey Box Testing
| Type | Tester Knowledge | Simulates | Best For |
|---|---|---|---|
| Black Box | No prior information — same as an external attacker | External attacker with no inside knowledge | Testing external perimeter realism |
| White Box | Full information: network diagrams, source code, credentials, architecture | Insider threat or post-breach attacker | Thorough internal coverage, code review |
| Grey Box | Partial information — some credentials, network ranges, general architecture | Attacker with some inside knowledge (ex-employee, vendor) | Most realistic real-world scenario |
Black box testing is the most realistic simulation of an external attacker — the pen tester starts with only the organisation's name and discovers everything else through reconnaissance. It's the most time-consuming approach because significant time is spent on information gathering that internal teams already know. Black box tests are good for validating the external perimeter but may miss internal vulnerabilities due to time constraints.
White box testing provides the pen tester with complete information about the target — network diagrams, source code, infrastructure documentation, and sometimes credentials. This allows the most thorough assessment — the tester spends all their time finding and exploiting vulnerabilities rather than discovering the attack surface. White box is most common for code reviews, internal assessments, and compliance-driven testing where thorough coverage matters more than realism.
Grey box is the most common real-world approach — the pen tester has some prior knowledge (IP ranges, an unprivileged user account, high-level architecture) but not complete information. This balances realism with thoroughness. It simulates an attacker who has done some reconnaissance, has an initial foothold, or has obtained some insider information — statistically the most common initial position of real attackers.
Rules of Engagement — What Must Be Agreed Before Testing
Rules of engagement (ROE) define the scope, boundaries, and conditions of a penetration test. They must be documented in writing and signed by an authorised representative of the target organisation before any testing begins. Key elements: Scope — which IP ranges, applications, physical locations, and systems are in scope versus explicitly out of scope. Timing — when testing can occur (business hours only? 24/7? specific maintenance windows?). Authorised techniques — is social engineering allowed? Physical access attempts? Denial of service testing? Emergency contacts — who to call if testing causes unintended damage. Data handling — how will any sensitive data discovered during testing be handled and disposed of?
On the exam: "what must be obtained before beginning a penetration test?" The answer is written authorisation or rules of engagement. This is non-negotiable. A pen tester who begins testing without written authorisation — even at verbal request from a manager — has no legal protection if something goes wrong.
Pen Testing Report Components
A professional penetration test report contains two primary sections. The executive summary is written for non-technical leadership — it describes the overall risk posture, the most critical findings, and the business impact of what was discovered. It avoids technical jargon and focuses on business consequences. The technical findings section documents each discovered vulnerability in detail: severity rating, description, evidence (screenshots, output), step-by-step reproduction procedure, affected systems, and specific remediation recommendations. Each finding is prioritised so the remediation team knows what to fix first.
Reconnaissance Techniques — OSINT and Active Recon
Reconnaissance is the foundation of every penetration test — the quality of information gathered determines how efficiently the rest of the test proceeds. OSINT (Open Source Intelligence) uses publicly available information to map the target without touching their systems. Key OSINT sources: Shodan — a search engine for internet-connected devices that indexes banners, open ports, and services; a pen tester can discover a target's internet-facing infrastructure without sending a single packet to the target. WHOIS provides domain registration information including registrant contact details, nameservers, and registration dates. LinkedIn and company websites reveal employee names, job titles, email formats, and technology stack clues. Google dorks (advanced search operators) can find sensitive files, login pages, and misconfigured systems indexed by Google.
Active reconnaissance directly probes the target — this is detectable by the target's monitoring systems. Nmap is the standard tool for port scanning and service enumeration — it discovers open ports, running services, operating system versions, and service banners. A stealth scan (nmap -sS) sends SYN packets and analyses responses without completing the TCP handshake, making it harder to detect than a full connect scan. Banner grabbing captures service banners (the text a service sends when a client connects) to identify software versions — a banner revealing "Apache 2.4.49" immediately signals a known vulnerability if the version is unpatched.
Social Engineering in Penetration Testing
Technical vulnerabilities are only one attack vector. Many penetration tests include a social engineering component that tests whether employees can be manipulated into providing access or information. Common social engineering techniques in pen tests: phishing campaigns — sending simulated phishing emails to employees and measuring click rates and credential submission rates. Vishing — calling employees posing as IT support or vendors to obtain passwords or facilitate access. Physical access attempts — attempting to tailgate into facilities, leave malicious USB drives, or access unlocked workstations.
Social engineering testing requires explicit authorisation just like technical testing — rules of engagement must specify which employees are in scope, whether management is pre-notified (blind vs disclosed tests), and how employee data from phishing simulations is handled. The results of social engineering tests are often the most impactful findings in a pen test report — a technically hardened network that can be breached via a phishing email tells a compelling story about where security investment should go next.
Post-Exploitation — What Attackers Do After Getting In
The post-exploitation phase is where penetration tests demonstrate real business impact. After gaining initial access to a system, a skilled attacker (and pen tester) works to expand their access through privilege escalation and lateral movement. Privilege escalation — moving from a low-privilege account (standard user) to a high-privilege account (local administrator, domain administrator) — is often achievable through misconfigured services, unpatched local vulnerabilities, or weak service account passwords. A single unprivileged user account is often sufficient initial access to eventually achieve domain administrator through a chain of exploits.
Lateral movement techniques include Pass-the-Hash (using captured NTLM hashes to authenticate to other systems without knowing the plaintext password), Kerberoasting (requesting service tickets for service accounts and cracking them offline to obtain plaintext passwords), and using legitimate tools like PsExec, WMI, and PowerShell remoting that exist on every Windows system to move between hosts without triggering antivirus. These are the techniques that make Security+ questions about "living off the land" relevant — attackers increasingly use built-in system tools to avoid detection.