A penetration test (pentest) is a controlled, authorised attack against your own systems, run by security professionals to find out what a real attacker could actually do — not in theory, but in practice. Where a scan lists weaknesses, a pentest proves which of them can be chained together to reach something that matters: a database, a domain administrator, a payment flow.
This guide covers what a pentest is and is not, the main types, the methodology behind a serious engagement, when it is worth doing and where it stops being enough.
At a glance
- The point: prove real, exploitable impact, not just the presence of vulnerabilities.
- The types: web, external and internal network, Active Directory, API, cloud, Microsoft 365, mobile and wireless — black, grey or white box.
- The method: scoping, reconnaissance, threat modelling, controlled exploitation, post-exploitation and a report you can act on.
- The limit: a pentest is a point-in-time snapshot; continuous risk needs vulnerability management and monitoring too.
What a penetration test actually is
A pentest simulates the behaviour of a real adversary within an agreed scope and set of rules. The testers do not just confirm that a flaw exists; they exploit it in a controlled way to demonstrate the consequence — access gained, data reachable, privilege escalated. That evidence is what turns an abstract risk into a decision a board can act on.
What a pentest is not
It is not an automated vulnerability scan, and it is not a security audit. A scan produces a list; an audit reviews posture and controls for breadth; a pentest goes deep on exploitability. Confusing the three is the most common — and most expensive — mistake when buying offensive security.
The most common types of pentest
Engagements are usually scoped by target: web applications, external network perimeter, internal network, Active Directory, APIs, cloud, Microsoft 365, and mobile or wireless. Most organisations start where their exposure and their crown jewels are — typically public web and identity.
Types by level of information: black, grey and white box
Black box means the testers start with no inside knowledge, mimicking an external attacker. White box gives them full information — architecture, credentials, source — for maximum coverage. Grey box sits in between and is the usual pragmatic choice: enough context to be efficient, without hiding the parts a determined attacker would eventually find anyway.
The methodology of a well-run pentest
A serious engagement follows a disciplined sequence: pre-engagement and rules of engagement; reconnaissance and intelligence gathering; threat modelling and attack-surface analysis; vulnerability analysis; controlled exploitation; post-exploitation to validate real impact; and a report that is genuinely useful. Skipping the early and late phases is how tests end up as noise — either scope creep or a wall of findings nobody can prioritise.
Is a pentest mandatory? Regulation and certifications
Several frameworks expect regular testing. PCI DSS requires penetration testing for cardholder environments; DORA pushes financial entities towards threat-led testing; NIS2 expects risk-based technical testing as part of managing risk; and ISO 27001 and Spain's ENS both treat regular testing as evidence of a working control environment. Even where it is not named explicitly, a pentest is often the cleanest way to demonstrate the control.
Pentest, audit, red team and vulnerability management
These are complementary, not interchangeable. An audit measures breadth of posture; a pentest proves depth of exploitability; a red team tests detection and response against a realistic adversary; and vulnerability management keeps risk down between tests. Choosing among them starts with the question you are trying to answer — we compare two of them directly in security audit vs penetration testing.
Common mistakes when buying a pentest
The usual traps: scoping by price instead of by risk, accepting an automated scan dressed up as a pentest, and treating the report as the end rather than the start. A test only pays off if the findings are prioritised and remediated — which is where what vulnerability management includes picks up.
The bottom line
A pentest answers a specific, valuable question: what could a capable attacker actually achieve here, today? Used at the right moments — before a launch, after major change, on a regular cadence for regulated systems — it is one of the highest-signal investments in security. If you want help scoping one, get in touch.