Penetration Testing

Penetration or pen testing is a security practice where a real-world attack on a subset of an organization’s IT ecosystem is simulated in order to discover the security gaps that an attacker could exploit. Such testing was born in the 1960s with the goal of revealing to the organization how a skilled and motivated attacker could get past, or penetrate, an organization’s defenses. Pen testing is now a requirement for several regulatory regimes including Payment Card Industry (PCI), Federal Information Security Modernization Act (FISMA and Health Insurance Portability and Accountability Act (HIPAA).

While manual pen testing can provide useful insights, the process is costly, time consuming and inherently unscalable as it is based on a simulated attack conducted by a skilled individual. Pen testing is only done on assets that are already known to, and protected by, IT and security teams. Other drawbacks to manual pen testing include that it is typically done only periodically and produces a point-in-time snapshot of the known enterprise assets that is typically outdated by the time that the analysis is complete.