What Is Penetration Testing? (And How It Actually Works)

Penetration testing — pentesting — is the practice of attacking a system with the owner's permission to find vulnerabilities before someone malicious does. It's not theoretical. A penetration tester uses the same techniques, tools, and mindset as an attacker. The only difference is the authorisation and the report at the end.

Companies pay for this because the alternative — waiting to find out about vulnerabilities when they appear in a breach notification — is considerably more expensive.

What actually happens during a pentest

A penetration test follows a structured methodology. The specifics vary by firm and engagement type, but the phases look like this:

• —Scoping — defining exactly what is and isn't in scope. What systems can be tested? What attack types are allowed? What's the timeline? This is a legal contract as much as a technical brief.
• —Reconnaissance — gathering information about the target. Subdomains, IP ranges, technologies used, employee names and emails, leaked credentials in public breach databases.
• —Scanning and enumeration — actively probing the scope. Port scanning, service fingerprinting, web application crawling, identifying potential attack surface.
• —Exploitation — attempting to exploit discovered vulnerabilities. SQL injection, authentication bypasses, misconfigured services, known CVEs.
• —Post-exploitation — once inside, how far can you go? Privilege escalation, lateral movement, data access.
• —Reporting — documenting every finding with severity rating, reproduction steps, and remediation guidance. This is the deliverable the client actually pays for.

Types of penetration testing

Pentesting covers more than just web applications. The main categories:

• —Web application pentesting — the most common type. Testing web apps, APIs, and authentication systems for OWASP-class vulnerabilities.
• —Network pentesting — assessing internal and external network infrastructure. Routers, firewalls, VPNs, exposed services.
• —Mobile pentesting — iOS and Android apps. Insecure storage, weak authentication, API abuse, binary analysis.
• —Social engineering — phishing simulations, pretexting, physical security testing. Exploiting people rather than systems.
• —Red team operations — a full adversary simulation against a mature security team. Not just finding vulnerabilities but testing detection and response capabilities. Much longer engagements.

Black box, white box, grey box

These terms describe how much information the tester is given before the engagement starts.

Black box — the tester gets a target (a URL or IP range) and nothing else. They approach it the way an external attacker would, with no knowledge of internal architecture, credentials, or source code. Realistic but slower.

White box — the tester gets full access: source code, architecture diagrams, credentials, documentation. More thorough and efficient. Often used for code review alongside active testing.

Grey box — somewhere between. The tester gets some information — maybe a user account, or knowledge of which technologies are used — but not full internals. The most common real-world engagement type.

Penetration testing vs vulnerability scanning

These are not the same thing and the distinction matters. A vulnerability scan runs automated tools that check for known vulnerabilities — unpatched software, default credentials, common misconfigurations. It produces a list of findings based on signatures.

A penetration test involves human judgment. A skilled tester identifies the vulnerabilities a scanner would miss: logic flaws in how the application works, chained vulnerabilities that are only dangerous in combination, business logic issues that require understanding the application's intent.

What good pentest reporting looks like

The report is the output. A good pentest report has two audiences: the technical team who will fix the issues and the executives who approved the budget. It needs to serve both.

Each finding should include:

• —Severity rating — Critical / High / Medium / Low / Informational, based on CVSS or a similar framework
• —Description — what the vulnerability is and why it exists
• —Proof of concept — exact steps to reproduce, with screenshots or payloads
• —Impact — what an attacker can do with this, in business terms
• —Remediation — specific, actionable steps to fix it

How to get into penetration testing as a career

The practical path is: build technical skills in labs and CTFs, get the OSCP certification, then apply to consulting firms or in-house security teams. Many people also move into pentesting from other IT roles — developers and sysadmins have a significant advantage because they already understand how systems are built.

Bug bounty hunting is also a legitimate parallel path. Several people have been hired directly by companies they found significant vulnerabilities in, and a strong public track record on HackerOne or Bugcrowd substitutes for credentials in many hiring conversations.

The OSCP remains the benchmark certification for getting hired. CEH (Certified Ethical Hacker) is less respected in technical circles because it's primarily multiple choice — it tests knowledge of hacking concepts rather than the ability to actually hack. Employers who know the difference know the difference.

Is it legal?

Penetration testing without written authorisation is illegal in most jurisdictions under computer fraud laws. The Computer Fraud and Abuse Act (US), Computer Misuse Act (UK), and equivalent laws elsewhere define unauthorised access broadly. "I was just testing" is not a defence.

Professional engagements are covered by a signed Statement of Work or Rules of Engagement document that specifies the scope, permitted techniques, and liability. Bug bounty programmes publish a policy that grants permission within defined boundaries. Both provide the legal cover that makes the work legitimate.

If you're learning, practice on systems you own or on platforms explicitly designed for it — CTF environments, intentionally vulnerable apps, lab platforms. The legal and ethical path is also the faster path: deliberate practice in controlled environments beats poking at random sites with no permission and no feedback.