® 
Penetration Testing
Definition
Penetration testing (see also: pentest) is an authorized, simulated cyberattack on a system, network, or application to find security vulnerabilities before malicious actors do.
Penetration testing (pentest) is an authorised, simulated cyberattack on systems, networks or applications to discover and prove security vulnerabilities before malicious actors do. According to the Ponemon Institute, a pentest identifies on average 33% more critical vulnerabilities than a vulnerability scan alone.
How does penetration testing work?
A pentest team attempts to find and exploit vulnerabilities just like a real attacker, but with permission and predefined rules (Rules of Engagement). The team documents every step and delivers a report with found vulnerabilities, exploitation evidence, risk assessment and concrete recommendations.
Types of pentests
Black box: no prior knowledge of the target. White box: full information including source code. Grey box: limited information. External pentest tests internet-facing systems. Internal pentest simulates an attacker already inside. Web application pentest tests against OWASP Top 10. Mobile app pentest tests iOS and Android applications. Cloud security assessment tests cloud configurations.
Difference from vulnerability scanning
A vulnerability scan automatically reports found vulnerabilities. A pentest goes further: the team actually exploits vulnerabilities to prove impact, not just theoretical risk.
Impact on organisations
Pentests are required or strongly recommended under multiple regulations: NIS2, PCI DSS, DORA and ISO 27001.
Protection
Conduct pentests at least annually and after significant changes. Choose an independent provider. Prioritise and remediate findings. Conduct retests to confirm fixes.
How DEFION helps
DEFION offers the full spectrum of pentest services: External, Internal, Web Application, Mobile App, Cloud Security Assessment, Code Security Review and OT Pentest.