What do we mean by ‘Penetration Test’?

Ben Downton, Principal Security Consultant
December, 2015
4 mins read

You might have heard the phrase “penetration test”, but what does it actually mean? We discuss the typical options available for security assessments, looking at the pros and cons of each type.

The term penetration test has long been used by the security industry to mean anything from an elite assessment that simulates a real life attack, to little more than an analyst pressing 'start' and 'stop' on an off-the-shelf scanning solution.

It’s important for organizations to be informed, so they can make better risk-based decisions. With that in mind, here are four different levels of security assessment and their appropriate uses that organizations can employ:

Vulnerability assessment

A vulnerability assessment makes use of automated tools to identify technical vulnerabilities in systems, either through their configuration or maintenance. These vulnerabilities are found by testing for known conditions, and are typically related to outdated software or default configurations that can be actively exploited.


  • Broad coverage
  • Minimal resources
  • Simple fixes


  • Risks are generic and without business context
  • Time consuming to process results
  • Likely to contain false-positives

System-driven penetration test

A system-driven penetration test builds on the vulnerability assessment by performing additional manual security testing. This involves exploring any exploitable vulnerabilities further to compromise the system or information exposed. It also identifies whether any access gained could be used as a pivot to target further systems.


  • Verification of vulnerabilities and ease of exploitation
  • Enables compliance tracking and metrics


  • Limited business context
  • Full coverage is resource intensive
  • Attacks may not be realistic

Goal-driven penetration test

As the name suggests, goal-driven penetration test looks at attacker goals, not IT systems. The penetration test then seeks to achieve these goals through various means, identifying which attack paths are viable to achieve such a goal and which aren’t.

The scope is much broader (usually the entire organization) and supported with knowledge of the organization, but provides a more realistic view of how an attack would be conducted.


  • Identifies real attack paths
  • Lists business impact


  • Attacks are conducted by ‘shortest path’ and may not cover all systems
  • Doesn’t assess detection and response capabilities

Targeted attack simulation

A targeted attack simulation (TAS) looks to achieve the same objectives as the goal-driven penetration test but is conducted in line with how a real cyber attack would occur.

All stages of an attack, from target enumeration through to post-exploitation and exfiltration of data are executed. Acting with a degree of stealth allows the organization to determine not only if an attack’s possible, but whether their capabilities are sufficient to detect and respond to the attack within a reasonable time frame.


  • Highlights detection and response capabilities
  • Techniques used are aligned with the most likely threat actors


  • Resource intensive
Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs