Performing a penetration test allows an organisation to test the robustness of their security controls as well as the security of their network, IT system and website against an attack. A pen-test will indicate whether an active attack by a malicious actor would be successful rather than just identify any vulnerabilities. This allows an organisation to plug holes in both their security controls and technical infrastructure before a real attack takes place.
Depending on the goal of the test a pen-test starts from the position of the tester having either no knowledge of the target, some knowledge, or full internal access to the target. This is known as black, grey or white box testing. Most effective and commonly performed is the former where the tester will begin by finding out as much about the organisation as possible, then using any available routes of entry try to get a foothold within the business and breach its systems. This is done in a tightly controlled manner and only as far as the test scope allows. Once the test is complete a report is prepared explaining the test findings and any recommendations.