Penetration testing is a security assessment simulating real attacks against systems, networks or applications to identify exploitable vulnerabilities.
Penetration testing (pentesting) is an authorized, controlled assessment using the same techniques as a real attacker to discover vulnerabilities before exploitation. It is classified as black box (no prior information), gray box (partial information) and white box (full access to code and architecture). It is a control recommended by ISO 27002 and required by regulations such as PCI DSS.
At minimum annually or after significant infrastructure changes. Regulations like PCI DSS require annual pentesting. High-risk organizations may require quarterly testing.
Vulnerability scanning is automated and detects known vulnerabilities. Pentesting is manual, attempting to exploit vulnerabilities to demonstrate real impact. They are complementary, not substitutes.
Need an assessment in this area?