A penetration test is a study of the effect of vulnerability against a target or targets. The targets can consist of systems, networks, applications or people or any combination of these. During a penetration test, we assume the identity of an attacker and attempt to gain unauthorized access. Through a series of attacks, we expand our influence over our target of evaluation. A penetration test measures the effectiveness of security controls while being flexible enough to adapt as obstacles present themselves.
The information security threat landscape is ever evolving, and simple passive methods of protection are not keeping up with new threats. A vulnerability scan is good at finding known flaws, and anti-malware detection is likewise good at finding known threats, but modern day threat actors are very good at exploiting what is not known.
Despite an organization’s best efforts to implement security controls, they are only as good as the sum of all of their parts. It is just as easy to mis-configure any one of these parts as it is to properly configure it.
A successful security program is a combination of controls. Professional penetration test will tell you is how well the entire security program, with all of its controls, is situated to detect and detain these threats when they appear.