AlignTrust
Operations & Governance

Penetration Testing

A simulated cyberattack conducted by security professionals to identify exploitable vulnerabilities before real attackers do.

What Is Penetration Testing?

Penetration testing (pen testing) is an authorised, simulated cyberattack performed by security professionals — called penetration testers or ethical hackers — to identify and demonstrate exploitable vulnerabilities in an organisation's systems, networks, or applications. The goal is to find weaknesses before malicious attackers do, and to prove whether defensive controls are effective.

Unlike a vulnerability scan, which identifies potential weaknesses, a penetration test actively attempts to exploit them to determine real-world impact.

Types of Penetration Tests

Network penetration test: Targets infrastructure — routers, firewalls, servers, endpoints. Identifies network misconfigurations, exposed services, and lateral movement opportunities.

Web application penetration test: Tests web apps for OWASP Top 10 vulnerabilities — SQL injection, XSS, authentication flaws, business logic errors.

Social engineering / phishing test: Simulates phishing campaigns or pretexting calls to assess employee awareness.

Physical penetration test: Tests physical security controls — access to buildings, server rooms, hardware.

Red team exercise: A comprehensive, objective-based engagement simulating a full advanced threat — combining technical, social engineering, and physical tactics.

Black Box vs Grey Box vs White Box

  • Black box: Testers have no prior knowledge of the target, simulating an external attacker
  • Grey box: Testers have partial knowledge (e.g., user-level credentials), simulating an insider or compromised account
  • White box: Testers have full access to architecture, source code, and credentials — most thorough, most efficient

When to Commission a Penetration Test

  • Before launching a new product or service
  • As part of SOC 2, ISO 27001, or other compliance programmes
  • After significant infrastructure changes
  • When customers or enterprise contracts require it
  • Annually for internet-facing applications

Understanding the Report

A good pen test report includes:

  • Executive summary: Risk rating and key findings in plain language for management
  • Technical findings: Each vulnerability with CVE reference, evidence, and reproduction steps
  • Risk rating: Critical / High / Medium / Low
  • Remediation guidance: Specific steps to fix each issue
  • Retest recommendation: After fixes, a retest confirms remediation is effective

Related Terms

Vulnerability ManagementSecurity Risk AssessmentCloud SecurityZero Trust Architecture
← Back to Security Glossary