A penetration test is the act of evaluating the security of a computer system or network using the same tools and techniques that a malicious attacker would use. Penetration tests are generally utilized to either test and verify that recent security upgrades have been effective, or to attempt to determine the relative amount of resources that will be needed by a malicious attacker to exploit the computer system or network. This can help an organization understand the feasibility of a successful attack against its environment, and to help determine the business impact a successful exploit may have.
The process involves analysis of the environment to be reviewed for potential vulnerabilities, hardware or software flaws, poor or improper configurations, or weaknesses in the security systems deployed to protect the environment. This analysis may be followed by the attempted active exploit of any identified vulnerabilities in an attempt to gain elevated access or privileges to the systems being reviewed. These findings are then reviewed with the organization, and remediation plans can be created for any found vulnerabilities.
Penetration Testing is generally performed as part of a comprehensive security assessment; however many organizations use penetration testing on a one time or recurring basis to continuously evaluate their security status.