A penetration test is an authorised, time boxed attempt to find and exploit weaknesses in a system, and to report on them so they can be fixed. It answers a narrow question: what could a competent attacker achieve within the scope and time agreed.
What it is not
- It is not a compliance certificate.
- It is not a guarantee of security after the test date.
- It is not the same as a vulnerability scan, which is automated and unfocused.
- It is not a substitute for logging, patching and staff training.
When to commission one
Before a significant release, after a merger or acquisition, in response to a regulatory expectation, or after a suspected incident to confirm remediation. In each case the value depends on a tight scope, an experienced tester, and a client who is prepared to act on the findings.

