TLDR:
Penetration testing (pentesting) is the practice of systematically attempting to exploit security vulnerabilities in systems, networks, applications, or physical premises—simulating the actions of a malicious attacker to identify weaknesses before adversaries do. Pentests are typically conducted by specialized security firms (or in-house teams) under controlled, authorized conditions.
Types of Penetration Tests
Major categories include: network penetration testing (external and internal network attack surfaces), web application testing (OWASP Top 10 vulnerabilities in custom applications), mobile application testing, cloud penetration testing (AWS/Azure/GCP misconfigurations), wireless network testing, social engineering (phishing simulations, physical access attempts), API testing, and increasingly AI/LLM red-team testing. Engagement models include black-box (tester has no internal information), gray-box (some information shared), and white-box (full information including source code).
Methodology and Standards
Standardized methodologies guide pentests: OWASP Web Security Testing Guide, PTES (Penetration Testing Execution Standard), NIST SP 800-115, and OSSTMM. A typical engagement follows: scoping and rules of engagement, reconnaissance and information gathering, vulnerability identification, exploitation attempts, post-exploitation (privilege escalation, lateral movement), reporting (severity-rated findings with remediation guidance), and retest after remediation. Quality pentests produce actionable, prioritized findings rather than long lists of low-severity issues.
Regulatory and Business Requirements
Pentests are required or expected under many frameworks: SOC 2 and ISO 27001 typically expect annual pentests; PCI-DSS requires regular pentests of cardholder data environments; NIS2 requires security testing for essential entities; many enterprise customers require pentests as part of vendor security reviews. Costs vary widely—from $5K-$10K for small scoped tests to $50K+ for complex enterprise engagements. Selecting reputable vendors with certified testers (OSCP, GIAC, CREST) and clean past engagements is essential.