Offensive Security Glossary
Penetrationstest
A penetration test (pentest) is an authorized, controlled attack on IT systems in which security experts simulate the methods of real attackers to identify and assess vulnerabilities.
A penetration test (or pentest) goes beyond automated vulnerability scans: Experienced security experts combine technical tools with manual analysis, creative problem-solving, and simulated attack chains.
Key Difference: Vulnerability Scan vs. Penetration Test
| Feature | Vulnerability Scan | Penetration Test |
|---|---|---|
| Degree of Automation | Fully automated | Manual + automated |
| Exploitation | No | Yes (controlled) |
| Attack Chains | No | Yes |
| Effort | 1–4 hours | 3–20 days |
| Evidential value | Low | High |
Common types of penetration tests
- Web application penetration test: OWASP methodology, API testing, business logic vulnerabilities
- Network penetration test: Infrastructure, Active Directory, internal segmentation
- Social Engineering: Phishing tests, vishing, physical penetration
- Red Team Exercise: Comprehensive APT simulation with C2 infrastructure
- Cloud Penetration Test: AWS/Azure/GCP misconfigurations, IAM misuse
Legal Notice
Penetration tests may only be conducted with written authorization from the system owner. Without authorization, this constitutes computer sabotage (§ 303b StGB) and data espionage (§ 202a StGB).
Detailed information: Wiki article on penetration testing
