What is penetration testing, anyway?
If you have a software system that protects valuable data or other assets, you probably want to have it tested for security vulnerabilities. That has probably led you to explore types of security assessments, and you’ve probably found that the most commonly referenced one is “penetration testing.”
What many companies don’t realize, however, is that “penetration testing” oftentimes isn’t really penetration testing at all. Worse yet, they don't realize that they actually might need something else.
When it comes to testing applications for security vulnerabilities, terms are used incorrectly all the time. If you don’t realize it’s happening, it can have dire consequences.
Download Ted's free ebook, "How to secure your software faster and better."
Most people ask for penetration testing, but are sold vulnerability scanning instead. However, what most people actually need is something else entirely: vulnerability assessments.
Those are remarkably different things. Each requires a different investment of time, effort and money. Each has different goals. Each produces different outcomes.
Penetration testing
The most commonly referenced type of security testing is “penetration testing.” That has become a catchall term, and, unfortunately, it’s misleading.
True penetration testing is a tactical service suitable for robust, hardened, thoroughly tested systems. It’s a time-constrained effort to measure a single outcome. For example, a penetration test might seek to determine “could an attacker escalate basic user privileges to admin rights?” The outcome is either yes or no. There is no other outcome.
Penetration testing is great when you have a mature, well-tested defense, and you want to determine if that defense still stands up to a simulated attack. Think of it like when a car maker wants to understand how a vehicle performs in a crash situation. They literally crash it into a wall to see what happens. It’s great for understanding a specific scenario. But it is only good for a system that’s already been thoroughly tested. And it’s really only intended to inform what happens in that specific scenario; it’s not intended to be holistic.
Vulnerability scanning
Now, that’s what penetration testing is supposed to be. It’s badass, and it seeks to find exploits. Unfortunately, the term is often used to refer to something else: vulnerability scanning. Thanks to misleading marketing and confused customers, “vulnerability scanning” has become synonymous with “penetration testing.”
It’s not.
Vulnerability scanning involves running an automated tool that looks for common vulnerabilities that are known to exist. The goal is to quickly and inexpensively find basic issues, including checking for unpatched vulnerabilities. Given that running a scanner is one of the first steps your attacker will take, it’s a good idea for you to do this too. You want to see what they see. It’s good if you want to keep timelines and cost to a minimum (with the understanding that it will also limit the value you get as a result).
It’s like the diagnostic tool that mechanics use when the “check engine” light comes on in your car. The tool scans for known issues, spitting back readable codes. It’s easy, inexpensive and quick. But it’s certainly not a comprehensive way to evaluate vehicle safety.
Think about that: you ask to simulate a car crash, yet are sold a way to remove the check engine light. Those are pretty different!
Vulnerability assessments
The frustrating confusion doesn’t end there.
As if asking for one thing but being sold something else wasn’t frustrating enough, there’s this: neither of those deliver the outcome that people are usually after.
When it comes to security testing, most people are looking for a comprehensive understanding of their system’s security vulnerabilities. They want to know what the problems are across the entire system and how to fix the problems, with a way to prioritize what to focus on first. Then they want to be able to prove that the system is more secure.
That’s not what either penetration testing or vulnerability scanning delivers. But it’s exactly what vulnerability assessments deliver.
Vulnerability assessments leverage experienced humans who solve problems manually in order to address your unique circumstances. In the real world, you’re defending against smart, motivated, problem-solving humans — not just scans. Vulnerability assessments help you defend accordingly. They’re great for both well-hardened systems as well as those still figuring it out (and everyone in between).
Unlike a single crash test or running the diagnostic tool to clear the “check engine” light, vulnerability assessments are like the entire safety engineering department. They consider all of the different safety systems — from seatbelts to airbags — and how they all work together. It’s a holistic view on where the weaknesses are and how to improve them.
What should you learn next?
Know your goal
As you can see, each of these terms means something quite different, so it’s important to understand four things. First, there is a difference. Second, terms are commonly misused for each other. Third, they shouldn't be. Fourth, it’s up to you to make sure you get what you need.
The best way to do this is to start with your goal. What do you want to achieve with the testing?
If you have a mature, heavily hardened system that’s already been through extensive security testing and you want to know how it stands up to a simulated attack against a specific area, get penetration testing.
If you need to find basic, common issues quickly, keep costs to a minimum and are fine without finding custom exploits, get vulnerability scanning.
If you need to find as many security vulnerabilities as possible — including custom exploits — understand their severity, and fix them based on priority ranking, get vulnerability assessments. Be clear on your goal when discussing testing with your security company, and you’ll be able to get the outcomes you need, irrespective of which term is being used to refer to the testing.
Enroll in an Ethical Hacking Boot Camp and earn two of the industry’s most respected certifications — guaranteed.
- CEH exam voucher
- PenTest+ exam voucher
- Exam Pass Guarantee
- Live online hacking training
In this Series
- What is penetration testing, anyway?
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
- Exploiting NFS share [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness