Skip to content
    Wiki

    Penetration Testing — Definition and Methodology

    Penetration testing from first principles — what it is, how it is conducted, and what the output should look like.

    Mission Support Editorial Desk · 2026-07-06

    Penetration testing — pen testing — is an authorised, structured attempt to exploit vulnerabilities in a system, network, application, or physical environment before a real adversary does. It simulates the techniques and tools of actual attackers to identify exploitable gaps that vulnerability scanning and configuration review alone cannot reliably find.

    Definition

    Penetration testing is a form of ethical hacking — authorised by the asset owner — conducted by specialists who attempt to breach the target's defences using the same techniques a real attacker would use. The goal is to identify exploitable vulnerabilities, demonstrate their impact, and provide actionable remediation guidance before those vulnerabilities are exploited by an actual adversary.

    Types of penetration test

    • Network penetration test — attacks on network infrastructure: firewalls, routers, switches, exposed services, and lateral movement paths
    • Web application penetration test — attacks on web applications: injection, authentication bypass, business logic flaws, session management
    • Social engineering — phishing, vishing, and physical access attempts exploiting human factors
    • Physical penetration test — attempts to bypass physical security controls to gain unauthorised access to facilities
    • Red team exercise — comprehensive adversary simulation across all domains (digital, physical, human) with defined objectives
    • Cloud penetration test — assessment of cloud configuration, access controls, and cloud-specific attack vectors

    Methodology

    Professional penetration tests follow a structured methodology: scoping and rules of engagement (what is in scope, what is forbidden, the timeframe); reconnaissance (information gathering about the target); exploitation (actively attempting to breach controls); post-exploitation (assessing what a successful attacker could achieve); and reporting (documenting findings, evidence, and prioritised remediation).

    Pen test vs vulnerability scan

    A vulnerability scan identifies potential weaknesses using automated tools; a penetration test attempts to exploit them. A scan tells you what might be vulnerable; a pen test tells you what is actually exploitable and what an attacker can achieve by exploiting it. Both have a role: scans for continuous monitoring, pen tests for periodic deep assessment and compliance evidence.

    Frequently Asked

    Primary action

    Request a Penetration Test

    Operational engagements start with a vetted conversation. Mission Support responds inside one working day for governmental and Tier-1 enquiries.

    Continue to service brief