What Is Penetration Testing? Here's the right definition​

Definition

What is Penetration Testing?

The meaning of Penetration Testing, as defined by the English dictionary, means to identify the presence of points where something can find or force its way into or through something else.

When applied to IT Security, Penetration Testing Services are most often used to positively identify points of vulnerability before bad actors do. Since Penetration Tests are tests, they must determine the genuineness of the vulnerabilities that they identify, hence the word “test”.

In most, if not all cases this determination is done through exploitation. If a potential issue is successfully exploited then its determined to be a genuine vulnerability and is reported. Findings that cannot be exploited are either not reported or are reported as theoretical findings when justified. Because Penetration Tests prove the genuineness of vulnerabilities their deliverables should always be free of false positives.

Hackers - Vulnerability Disclosures

Penetration Testing

Limitations

Penetration Testing, by definition, does not impose any limitations on the methods that can be used to determine the presence of points where something can make its way into or through something else. When limitations are imposed they are the product of customer requirements, project scope, team capabilities, and resources.

Penetration Test

Threat Level and Quality

With regards to IT Security, a Penetration Test should produce levels of threat that are at least equal to those which are likely to be faced in the wild. This enables the testing team to identify the same types of vulnerabilities that might otherwise be identified by the real threat.  Once those vulnerabilities are identified they can be remediated against thus preventing a compromise. Testing at less than realistic levels of threat is ineffective and akin to testing a bulletproof vest with a squirt gun instead of live rounds.  Note: The real threat commonly uses malware, social engineering and phishing (a form of social engineering) when attempting to penetrate targets. Penetration Testing & Uses In IT Security Penetration Tests are most commonly applied to Networks, Web Application, and Physical Security. In theory, anything can undergo a Penetration Test.

Keyboard With Pirate Key

DIFFERENTIATE

Penetration Tests vs Vulnerability Scans

Many security firms are dressing up a low quality vulnerability scan as a penetration test and charging you thousands of dollars for it.  You think you are buying a penetration test when in reality you’re getting a poor quality vulnerability scan, then an engineer looks over the scan report, massages the findings and they call this a penetration test. This is NOT a pen test. This is an automates vulnerability scan that is being disguised as a penetration test. If you are requesting a quote for a pen test and the security firm simply asks you for a number of IP addresses and then gives you a price. You’re likely just getting a scan and being charged for a penetration test.

Learn About Netragard’s Penetration Testing Services

- For More Information -

We Protect You From People Like Us.

Karen Huggins

Chief Financial, HR and Admin Officer
Karen joined the Netragard team in 2017 and oversees Netragard’s financial, human resources as well as administration functions. She also provides project management support to the operations and overall strategy of Netragard.
 
Prior to joining Netragard, she worked at RBC Investor Services Bank in Luxembourg in the role of Financial Advisor to the Global CIO of Investor Services, as well as several years managing the Financial Risk team to develop and implement new processes in line with regulatory requirements around their supplier services/cost and to minimize the residual risk to the organization.
 
With over 20 years of experience in finance with global organizations, she brings new perspective that will help the organization become more efficient as a team. She received her Bachelor of Finance from The Florida State University in the US and her Master of Business Administration at ESSEC Business School in Paris, France.

Philippe Caturegli

Chief Hacking Officer
Philippe has over 20 years of experience in information security. Prior to joining Netragard, Philippe was a Senior Manager within the Information & Technology Risk practice at Deloitte Luxembourg where he led a team in charge of Security & Privacy engagements.

Philippe has over 10 years of experience in the banking and financial sector that includes security assessment of large and complex infrastructures and penetration testing of data & voice networks, operating systems, middleware and web applications in Europe, US and Middle East.

Previously, Philippe held roles within the information system security department of a global pharmaceutical company in London. While working with a heterogeneous network of over 100,000 users across the world and strict regulatory requirements, Philippe gained hands-on experience with various security technologies (VPN, Network and Application Firewalls, IDS, IPS, Host Intrusion Prevention, etc.)

Philippe actively participates in the Information Security community. He has discovered and published several security vulnerabilities in leading products such as Cisco, Symantec and Hewlett-Packard.

He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), PCI Qualified Security Assessors (PCI-QSA), OSSTMM Professional Security Analyst (OPSA), OSSTMM Professional Security Tester (OPST), Certified in Risk and Information Systems Control (CRISC)and Associate Member of the Business Continuity Institute (AMBCI).

Adriel Desautels

Chief Technology Officer
Adriel T. Desautels, has over 20 years of professional experience in information security. In 1998, Adriel founded Secure Network Operations, Inc. which was home to the SNOsoft Research Team. SNOsoft gained worldwide recognition for its vulnerability research work which played a pivotal role in helping to establish today’s best practices for responsible disclosure. While running SNOsoft, Adriel created the zeroday Exploit Acquisition Program (“EAP”), which was transferred to, and continued to operate under Netragard.
 
In 2006, Adriel founded Netragard on the premise of delivering high-quality Realistic Threat Penetration Testing services, known today as Red Teaming. Adriel continues to act as a primary architect behind Netragard’s services, created and manages Netragard’s 0-day Exploit Acquisition Program and continues to be an advocate for ethical 0-day research, use and sales.
 
Adriel is frequently interviewed as a subject matter expert by media outlets that include, Forbes, The Economist, Bloomberg, Ars Technica, Gizmodo, and The Register. Adriel is often an invited keynote or panelist at events such as Blackhat USA, InfoSec World, VICELAND Cyberwar, BSides, and NAW Billion Dollar CIO Roundtable.