What is a PenTest?

Penetration testing, also known as ethical hacking or pen testing, is a security assessment technique that involves evaluating the security of a computer system, network, or application by simulating an attack from malicious outsiders (think hackers) or insiders. The goal of penetration testing is to identify vulnerabilities, weaknesses, and potential entry points that could be exploited by real attackers. The idea is we wish to secure our systems, networks and applications from hackers by learning how they might be able to gain a foothold in our network.


Penetration testing is typically conducted by skilled security professionals who employ a variety of methods, tools, and techniques to probe the target system. They attempt to exploit vulnerabilities and gain unauthorized access to systems, applications, or data to determine the effectiveness of existing security controls and to discover any potential weaknesses. This course will introduce you to these methods, some tools and techniques. To become a skill pentester you must keep practicing and refining your own skill set. 


The process usually involves several stages, including:


Penetration testing helps organizations proactively identify security weaknesses and address them before malicious attackers can exploit them. It assists in validating the effectiveness of security measures, improving incident response capabilities, and ensuring compliance with security standards and regulations. Other regulatory compliance considerations are HIPPA, FERPA, SOX, GLBA and the GDRP.  

CIA Triad image.

CIA Triad

Cybersecurity professionals use the CIA triad to describe the goals of information security. 


Confidentiality: Confidentiality ensures that information is protected from unauthorized access and disclosure.

Integrity: Integrity focuses on maintaining the accuracy, completeness, and trustworthiness of information.

Availability: Availability ensures that information and resources are accessible and usable when needed. 

DAD Triad image.

DAD Triad

Attackers and pentesters wish to undermine the goals of the CIA Triad. The attackers goals are known as the DAD Triad.


Disclosure: Attacks seek to gain unauthorized access to information or systems.

Alteration: Attacks seek to make unauthorized changes to information or systems.

Denial: Attacks seek to prevent legitimate use of information and systems. 

This if the DAD Triad as the exact opposite of the CIA Traid. 

Why might a Penetration Test be performed?

Can help provide additional visibility into a companies security posture that might not be available by other means. A pentest will not replace the other cybersecurity activities the company is conducting, it will help to complement it and enhance those efforts! 

Another reason is that a business could be required to conduct a pentest due to regulator requirements. For example, PCI-DSS (Payment Card Industry Data Security Standard) requires this! The document is extremely long (over 100 pages), but you can read a quick guide about PCI DSS Compliance to gain an understanding of its requirements. 

Penetration Standards and Methodologies

Creating and starting a Pentest from the ground up is not easy. Luckily we have resources available to use that can help us!


Other ones might also exist, so be aware these are just some of the more common ones that you might come across and should be familair with.