The goals of a penetration test
- Determine feasibility of a particular set of attack vectors
- Identify any vulnerabilities which are present, including any that are high-risk which result from a combination of lower-risk vulnerabilities exploited in sequence
- Identify vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software
- Assess the potential business and operational impacts of successful attacks
- Test the ability of network defenders to detect and respond to attacks
- Justify increased investment in security personnel and technology
Penetration tests are an important part of a full security audit. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires penetration testing on a regular schedule and after any system changes.