What is Penetration Testing?

What Penetration Testing Actually Is

A penetration test is a structured engagement where security professionals — either an internal red team or an external firm — attempt to compromise a defined target environment using the same techniques, tools, and thought processes that real attackers use. The testers operate within a defined scope and rules of engagement, document their methodology and findings, and deliver a report that describes what they were able to compromise, how, and what the business impact would be if a real attacker had succeeded.

Types of Penetration Tests

Network penetration testing assesses external-facing infrastructure — web servers, VPNs, email gateways, firewalls — and internal network security. External network tests simulate an attacker with no prior access to the environment. Internal network tests simulate an attacker who has already gained a foothold inside the network, evaluating lateral movement paths, privilege escalation opportunities, and the ability to reach high-value targets like domain controllers, financial systems, and sensitive data repositories.

Web application penetration testing focuses specifically on web applications — assessing for OWASP Top 10 vulnerabilities including SQL injection, cross-site scripting, authentication weaknesses, insecure direct object references, and server-side request forgery. Application pentests require testers who understand web application architecture and can test both the application layer and the underlying infrastructure.

Social engineering assessments test the human element — phishing simulations, vishing (voice phishing), and physical security testing. These tests evaluate employee security awareness, email filtering effectiveness, and physical access controls. They are among the most consistently revealing assessments because they test the attack vector most commonly used against mid-market organizations.

Red team assessments are the most comprehensive and realistic form of security testing. Unlike a penetration test with a defined scope and time limit, a red team engagement simulates a targeted adversary pursuing a specific objective — accessing the CFO's email, exfiltrating customer data, achieving domain admin — using whatever techniques are required, over an extended timeframe, without the blue team knowing an engagement is in progress.

What a Penetration Test Actually Tells You — and What It Doesn't

A penetration test tells you what a skilled attacker with access to known tools and techniques could accomplish against your environment during the testing period. This is genuinely valuable information. It is not a guarantee that your environment is secure against all attacks, a comprehensive inventory of all vulnerabilities, a substitute for continuous monitoring and detection, or a certification that your controls are effective.

The Scope Problem

Most penetration test findings are constrained by the scope defined before the engagement begins. An organization that scopes a penetration test to exclude cloud infrastructure, third-party applications, and physical security is receiving a test against a subset of their actual attack surface. Attackers do not respect scope boundaries. The most common path to compromise in real-world attacks — credential phishing followed by cloud account takeover — is frequently outside the scope of traditional network penetration tests.

Point-in-Time vs. Continuous

A penetration test is a point-in-time assessment. The report reflects the state of your environment on the specific days the test was conducted. An organization that patches the findings from their April penetration test and then makes significant infrastructure changes in May and June is not protected by their April report. Security environments change continuously — new systems are deployed, configurations drift, new vulnerabilities are discovered — and point-in-time assessments become stale quickly.

Penetration Testing in M&A and Portfolio Management

Pre-Close Due Diligence

Penetration testing as a component of M&A cyber due diligence requires a different approach than a standard compliance-driven assessment. The goal is not to identify and remediate all vulnerabilities before close — that is impossible in a typical due diligence timeline. The goal is to identify the specific vulnerabilities that represent material business risk: paths to complete network compromise, exposure of customer data, access to financial systems, and conditions that would trigger regulatory notification obligations. A targeted 48-72 hour assessment focused on the highest-risk attack paths delivers more actionable intelligence than a comprehensive months-long engagement.

Portfolio Company Baseline

For PE sponsors managing a portfolio of mid-market companies, annual penetration testing of each portco creates a baseline of security posture and tracks improvement over time. More valuable than the individual test results is the cross-portfolio visibility: which portcos have persistent findings that indicate systemic security program weakness, which attack paths are consistent across multiple portfolio companies suggesting a shared technology or configuration risk, and which portcos are effectively remediating findings versus generating reports that go unaddressed.

What to Look for in a Penetration Testing Provider

The penetration testing market includes a wide range of quality. Effective penetration testing requires manual exploitation — testers who understand attack technique beyond what automated scanning tools can discover — and not just vulnerability scanning rebranded as penetration testing. The distinction matters: a vulnerability scan identifies known vulnerabilities by signature matching. A penetration test chains multiple techniques together to achieve a specific objective, as real attackers do. Reports should include proof-of-concept evidence of successful exploitation, business impact analysis of each finding, and remediation guidance specific to the environment tested.

Real-World Example: How a 4-Hour Pentest Revealed Complete Domain Compromise

In a Cloudskope M&A due diligence engagement for a PE sponsor evaluating a 300-person healthcare technology company, our penetration testers achieved domain administrator privileges within 4 hours of beginning the internal network assessment. The path required three steps: identifying a legacy Windows Server 2008 system that had not been patched since 2019, exploiting a known vulnerability to gain an initial foothold, and using credential harvesting from the legacy system's memory to obtain a service account credential that had domain admin privileges — a configuration the organization's IT team was unaware of. The finding was material to deal valuation: achieving domain admin meant an attacker could access every system, every database, and every email account in the organization simultaneously. The sponsor used the finding to negotiate remediation obligations into the purchase agreement.