Penetration Testing

Penetration testing (pen testing) is a controlled, authorized simulation of a cyberattack against an organization's systems, networks, or applications. The goal is to discover vulnerabilities that could be exploited by real attackers and assess the potential impact of successful exploitation. Unlike automated vulnerability scanning, penetration testing involves skilled testers who chain vulnerabilities together and attempt to achieve specific objectives like data exfiltration or privilege escalation.

Types of Penetration Tests

• External network testing — Targets internet-facing infrastructure (web servers, firewalls, DNS, email)
• Internal network testing — Simulates an attacker who has gained internal network access
• Web application testing — Focuses on application-level vulnerabilities (injection, authentication flaws, authorization bypass)
• API testing — Evaluates the security of application programming interfaces
• Social engineering — Tests human defenses through phishing simulations or physical access attempts
• Cloud configuration testing — Assesses cloud environment security (AWS, Azure, GCP misconfigurations)

Compliance Requirements

PCI DSS Requirement 11.3 mandates annual penetration testing and retesting after significant changes. Both internal and external testing is required.

ISO 27001 does not explicitly mandate penetration testing but includes controls for technical vulnerability management (A.8.8) and information systems audit (A.8.34). Most organizations include pen testing as part of their vulnerability management program.

SOC 2 auditors frequently ask about penetration testing as evidence of proactive security management, though it is not a specific Trust Service Criteria requirement.

Frequency and Timing

At minimum, penetration testing should be conducted annually and after significant infrastructure changes, application releases, or security incidents. Organizations with rapidly changing environments may test quarterly or integrate testing into their CI/CD pipeline.

Acting on Results

A penetration test is only valuable if findings are remediated. Establish clear processes for triaging findings by severity, assigning remediation owners, tracking progress, and verifying fixes. Auditors will ask whether prior pen test findings were addressed — open findings from previous tests are a red flag.