The penetration test, commonly referred to as the manual test, is an authorized simulation of an attack on a computer system, conducted to assess the security of a system. The test is conducted to identify both weaknesses (also called vulnerabilities), including the ability for unauthorized parties to access the functions and data of the system, as well as strengths, which allows for a complete risk assessment.
The process usually identifies target systems and a specific goal, then scans the available information and takes various ways to achieve this goal. The purpose of the penetration test may be a white box (which provides reference and system information) or a black box (which provides only basic information or does not provide any information other than the company name). The gray box penetration test is a combination of the two (where limited knowledge of the goal is passed on to the auditor). The penetration test can help determine if the system is vulnerable to attack, if the defenses were sufficient, and which defenses (if any) in the test were defeated.
Security issues that a penetration test detects should be reported to the system owner. Reports on penetration tests can also assess the potential impact on an organization and suggest countermeasures to reduce risk.
The National Cybersecurity Center describes penetration testing as follows: A method of gaining confidence in the security of an IT system by attempting to disrupt some or all of the security of this system using the same tools and methods as the attacker.