Functional Functional Always active

The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

Preferences Preferences

The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.

Statistics Statistics

The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.

The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.

Video

Cyber Security: What is Pentesting?

EJN Labs

July 19, 2025

Penetration testing (often shortened to pen testing) is an authorised security assessment that simulates the actions of a real attacker against a defined target. The goal is to discover and exploit weaknesses in a controlled way so they can be fixed before a malicious actor finds the same flaws.

Why penetration testing exists

Modern systems are too complex for any individual or team to reason about exhaustively. Vulnerability scanners catch known issues with signatures, but they cannot reason about how findings combine, how access can be chained, or whether a flaw matters in the business context. Penetration testing fills that gap: a skilled tester thinks the way an attacker thinks and demonstrates the impact of weaknesses in real terms.

Standard phases

Scoping defines the target, the rules of engagement, the schedule, and the deliverables.

Reconnaissance gathers public information and maps the attack surface.

Vulnerability identification combines automated scanning with manual review to surface candidate issues.

Exploitation validates findings by demonstrating real-world impact.

Post-exploitation explores how far an attacker could pivot, what data could be reached, and what damage could be done.

Reporting documents findings with reproduction steps, evidence, severity ratings, and remediation guidance.

Retest verifies that fixes have been applied correctly.

Types of engagement

External, internal, web application, mobile application, API, cloud, wireless, social engineering, physical, and red team. Each focuses on a specific attack surface or scenario.

How it differs from a vulnerability assessment

A vulnerability assessment lists weaknesses; a penetration test demonstrates which weaknesses can be exploited and what they mean for the business. Both are valuable: vulnerability assessment for ongoing hygiene, penetration testing for higher assurance and for the deeper findings that automated tooling cannot reach.

UK context

Regulated industries (financial services, healthcare via NHS DSPT, government via NCSC CHECK) expect penetration testing as part of their compliance posture. CREST membership is widely required as evidence of competent testing practice. The Computer Misuse Act 1990 defines the legal boundary: authorisation in writing makes the work lawful.

One response to “Cyber Security: What is Pentesting?”

The Penetration Testing Checklist: How to Prepare for a Successful Test – EJN Labs

August 3, 2025

[…] diving into preparation, let's clarify what penetration testing actually entails. A penetration test (or pentest) is a controlled attempt to exploit […]

Reply

EJN Labs

We are an CREST certified, AI led threat research and cyber security services company based in Canary Wharf, London, UK. Schedule a call to find out more!