Glossary

Penetration Testing

A simulated cyberattack against an organization's systems, networks, or applications conducted by authorized security professionals to identify exploitable vulnerabilities before malicious attackers do.

Last updated

What Is Penetration Testing?

Penetration testing (pentesting) is an authorized, controlled attempt to exploit vulnerabilities in an organization's systems. Unlike vulnerability scanning, which identifies potential weaknesses, penetration testing actively exploits them to demonstrate real-world risk and impact.

Types of Penetration Testing

| Type | Scope | Focus | |---|---|---| | Network pentest | Internal/external network | Firewalls, servers, network services | | Web application pentest | Web apps and APIs | OWASP Top 10, business logic flaws | | Cloud pentest | Cloud infrastructure | Misconfigurations, IAM weaknesses | | Social engineering | Human element | Phishing, pretexting, physical access | | Red team engagement | Full organization | Multi-vector, simulating real adversaries | | Purple team exercise | Collaborative | Red team attacks while blue team defends |

Pentest Methodology

Most penetration tests follow a standard methodology:

  1. Scoping: Define targets, rules of engagement, and goals
  2. Reconnaissance: Gather information about the target (OSINT, network scanning)
  3. Vulnerability Analysis: Identify potential vulnerabilities
  4. Exploitation: Attempt to exploit identified vulnerabilities
  5. Post-Exploitation: Determine impact — data access, lateral movement, privilege escalation
  6. Reporting: Document findings with evidence, risk ratings, and remediation guidance

Black Box vs. White Box vs. Gray Box

| Approach | Tester Knowledge | Simulates | |---|---|---| | Black box | No prior knowledge | External attacker | | White box | Full access (source code, architecture) | Insider threat, deep assessment | | Gray box | Partial knowledge (credentials, architecture) | Compromised user, most realistic |

Pentest vs. Vulnerability Scan vs. Red Team

  • Vulnerability scan: Automated, identifies known vulnerabilities, no exploitation
  • Penetration test: Manual + automated, exploits vulnerabilities, proves impact
  • Red team: Extended engagement, simulates real adversary TTPs, tests detection and response

When to Pentest

  • Before launching new applications or major features
  • After significant infrastructure changes
  • Annually (or more frequently) for compliance (PCI DSS requires annual pentests)
  • After a security incident to validate remediation

Related Resources

Categories

Enterprise Vulnerability Management Platforms

Compare the best enterprise vulnerability management alternatives to Tenable in 2026. Microsoft Defender VM, Tanium, Arctic Wolf — enterprise features, scale, and pricing compared.

Cloud Vulnerability Management Platforms

Compare the best cloud vulnerability management alternatives to Tenable in 2026. Qualys VMDR, Rapid7 InsightVM, CrowdStrike Falcon Spotlight — features, pricing, and capabilities compared.

Products

Tenable

Industry-leading vulnerability management platform with Nessus scanning, cloud-native VM, and exposure management

Rapid7 InsightVM

Risk-based vulnerability management platform with live dashboards and remediation project tracking

Qualys VMDR

Cloud-native vulnerability management platform with integrated detection, prioritization, and patch management

Sources & References

  1. NIST Cybersecurity Framework (CSF) 2.0[Government Standard]
  2. NIST Computer Security Resource Center[Government Standard]
  3. MITRE ATT&CK Framework[Industry Framework]
  4. OWASP Foundation[Industry Framework]
  5. CISA Cybersecurity Best Practices[Government Standard]
  6. SANS Institute Reading Room[Industry Research]
  7. Cloud Security Alliance (CSA)[Industry Framework]
  8. CIS Critical Security Controls[Industry Framework]
  9. Gartner Peer Insights: Vulnerability Assessment[Analyst Report]
  10. Forrester Wave: Vulnerability Risk Management, Q3 2023[Analyst Report]
  11. IDC MarketScape: Worldwide Risk-Based Vulnerability Management 2024[Analyst Report]
  12. NIST National Vulnerability Database (NVD)[Government Standard]
  13. FIRST: Common Vulnerability Scoring System (CVSS)[Industry Standard]
  14. CISA Known Exploited Vulnerabilities Catalog[Government Standard]