What is Penetration Testing?

Penetration testing, sometimes called ethical hacking or shortened to pen test, is an authorized attack performed to evaluate a system or application in order to find exploitable vulnerabilities so they can be proactively remediated.  

There are many different types of pen tests, including:

1. External, which determines the security posture of an internet-facing network
2. Internal, which tests the controls of an organization's internal systems as if a hacker had bypassed the perimeter
3. Application, which tests applications for vulnerabilities
4. Wireless network testing, which evaluates whether popular wireless LAN infrastructure creates an opening for attackers to exploit
5. Social engineering, which can include sending phishing emails (or impersonating other individuals on the phone or in person) to gain access to restricted areas or systems
6. Physical testing, which evaluates the physical security of an organization, including door locks and badge/access controls

Many of the tests above are often confined to a specific scope of systems or time period. Another concept in pen testing that's gaining momentum is red teaming. In war games, the red team represents the aggressor, whose job it is to test the capabilities of those on defense (the blue team). In pen testing, red team refers to testing in which there are no restrictions related to systems in scope or time windows. Hence, red team approaches provide the most accurate simulation of a real-world adversary.