What is Penetration Testing?

A penetration test is a simulated cyber attack against your nonmalicious computer system to check for exploitable vulnerabilities. It’s a series of targeted nonmalicious attacks, intended to breach your cybersecurity defenses. The difference between a pentest and a real attack, however, is that penetration tests are conducted by ethical security professionals, who keep any extracted data private and ultimately help you improve your security posture. 

We simulate an external attacker attempting to exploit your internet-facing networks and applications to help you identify exploitable vulnerabilities and weaknesses in your perimeter that leave you exposed.

Penetration Testing vs. Vulnerability Assessments

The main difference between a penetration test and vulnerability assessment is that while both start with an initial scan and investigation of identified vulnerabilities, attack vectors such as social engineering, external/ internal network services, web application, etc. are not performed during a vulnerability assessment.

Think of vulnerability assessments and penetration tests as equally important investments in a holistic cyber security initiative. A pentest, however, takes longer and is a more extensive investigation. 

To learn more about what sets them apart, read our blog Penetration Testing vs. Vulnerability Assessments: The Key Differences.

The 6 Types of Pentests

When a company says they’ll perform a pentest, it’s important to find out what kind of penetration test they’re offering.

There are six core types:

  1. External Network
  2. Internal Network
  3. Social Engineering
  4. Physical
  5. Wireless
  6. Web/Mobile Application

If a bad actor finds one shut door, it’s not to say they can’t find another that’s open. With this in mind, a savvy cyber security team should pursue all of these testing vectors, careful to take a rounded approach. This “combination of attack vectors” approach is often referred to as Red Teaming.

Learn more about the 6 Types of Pentesting before screening any companies for the job.

The 4 Phases of Pentests

No matter the type of penetration test, there are usually four phases, all which deserve equal attention:

  1. Planning
  2. Pre-Attack
  3. Attack
  4. Post-Attack

While it’s easy to assume performing the attacks is all that matters, the success of any compromise often depends on what happens before and after the actual exploit. 

Social engineering attacks often work because the hacker builds a relationship and trust with the victim before planting the bait, meaning a lot of strategizing and slow-nurturing occurs before the malware-infected link is sent or the bad actor asks the recipient to perform a task.

What happens post-attack matters just as much. According to M-Trends, the median number of days an adversary will sit inside a network undetected is an incredible 146 days. What could a hacker find out about your company or do with 146 days of access to your internal network?

Read more about the 4 Phases of Penetration Testing here.

The Pentesting Report

Once the cybersecurity professionals breach your systems, they’ll compile their findings into a comprehensive report. This report will breakdown what happened throughout the attack and offer recommendations for mitigating the risks. It often includes an executive summary as well, translating tech talk into an easily understood language for your C-Suite.

Explore what’s included in a pentesting report here. 

Beyond the Compliance Checkbox

There are many reasons why a professional pentest is a wise investment beyond compliance regulations. Discover why penetration is more important than ever in 2020.

Then, read through these 7 Real-World Findings from Penetration Tests to start making changes to security. Continue learning by downloading our free 5-½ Easy Steps to Avoid Cyber Attacks ebook.

New call-to-action

Topics: penetration testing

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

The Growth of Third-Party Software Supply Chain Cyber Attacks

When testing your employees' social engineering readiness, your teams need simulated attacks that feel as if they’re coming from a nefarious engineer...

Read more ›

Bypassing Key Card Access: Shoring Up Your Physical Security

As you build additional layers of defense into your cybersecurity framework, it's important to implement physical security strategies as well.

Read more ›

How to Prioritize Your Pentesting Report’s Remediation Recommendations

If you recently received a penetration test, you’re on the right track to improving your cybersecurity posture. However, you may be wondering what the..

Read more ›