A penetration test (pentest) is an assessment type that is usually centered around a research question stemming from a specific security concern. Quite often this question is "To what extent can a threat-actor penetrate our organization?".
Various techniques and tactics are deployed in a short timespan to provide a solid answer to this question. Vulnerabilities identified and exploited in the course of this process are outlined in a report that focusses on the (technical) impact to your organization.Questions or request a quote?
There are several types of pentests, and the term "scope" refers to the specific assets (e.g., applications, internal and/or external network ranges) that need to be tested to achieve the agreed-upon objectives. The differences between the types are mainly related to the (technical) information provided in advance. Unfortunately, no unambiguous definitions are applied in the industry. We use the following definitions:
Without (provided) credentials and/or technical information (e.g., documentation).
With credentials for one or more user roles and/or technical information (e.g., documentation).
A scenario-based pen test and the scenario that login credentials are obtained (assumed breach) by a successful social engineering attack (such as phishing), for example, also qualifies as gray box perspective.
With access to configuration and/or source code to support the assessment. Usually combined with credentials for one or more user roles and/or detailed (design) documentation.
A pentest provides valuable insights into the security posture, improvement opportunities, technical imperfections and risks. However, the increase in security remains dependent on the follow-up of the results. The gain is usually the highest when there is intrinsic motivation. A mature information security policy includes periodic security testing.
In addition, security testing may be a contractual obligation or mandated by applicable laws and regulations. For example, the Payment Card Industry Data Security Standard (PCI DSS) applies to websites that independently process creditcard data.