📘 Topic: Penetration Testing

Domain: D7 – Security Operations
Tags: #cissp

---

🧾 Definition

Penetration testing is an authorized simulation of attacks against an organization’s systems, applications, or networks to identify exploitable weaknesses and validate defenses.

---

🔑 Key Points

• Testing must be scoped and approved under clear rules of engagement.
• The test should identify vulnerabilities, validate exploitability, and support remediation.
• It differs from routine vulnerability scanning because it actively attempts to exploit weaknesses.
• Findings should be documented, prioritized, and retested after remediation.

---

⚠️ CISSP Insight

• Security testing should be controlled, documented, and aligned with business risk and legal requirements.
• Penetration testing is useful for validating the effectiveness of controls, not just listing defects.

---

⚔️ Key Difference / Trap

• Penetration test vs vulnerability scan
  • Vulnerability scan = identifies issues
  • Penetration test = attempts real exploitation under controlled conditions
• Red team vs pentest
  • Red team may have broader objectives and may not be limited to a single technical scope

---

🏗️ Example

A security team hires an external tester to assess a web application and tries to exploit weak authentication controls within the agreed scope.

---

📚 References

• NIST SP 800-115, Technical Guide to Information Security Testing and Assessment
• NIST SP 800-53, CA-8 and RA-5
• ISO/IEC 27001:2022, Annex A 8.8

---

🔁 Quick Recall

• Pentest = controlled attack simulation
• Goal = validate real exploitable weaknesses