THREAT BRIEFING · 11.07.2026 DEENFRES

Security Glossary

What Is a Penetration Test? Definition and Key Differences

By Benedikt Langer · July 10, 2026 · 6 min read

What is a Penetration Test? A penetration test is an authorized, controlled attack on your own IT infrastructure to find exploitable vulnerabilities before real attackers can. Unlike an automated vulnerability scan, the test checks whether identified weaknesses can actually be exploited and what real risk they pose. Prerequisite is always written authorization by the system owner.

Key Takeaways

  • Core: an authorized, controlled attack on your own IT to identify exploitable vulnerabilities and prioritize them by real risk.
  • Distinction: Vulnerability scanning automatically finds known issues, while a penetration test manually exploits vulnerabilities, and red teaming additionally tests the defender’s detection and response.
  • Legal framework: Only permissible with written authorization from the system owner. Without authorization, the same procedure constitutes a crime.

What a Penetration Test Provides

A penetration test simulates a real attack on your own IT infrastructure, web application or organization. The goal is not to identify all vulnerabilities comprehensively, but to determine which gaps can actually be exploited and what damage an attacker could cause. The test therefore provides risk prioritization that automated scans cannot offer.

3 Stages

Vulnerability scan, Penetration test, Red Teaming

automatic – manual – covert

The results flow into a report that, for each identified vulnerability, specifies the risk, the reproduction path and a priority for remediation. A follow-up test checks whether the countermeasures are effective. This prioritization is the real value for IT managers and CISOs: they know where to invest first.

Penetration Test Process

A penetration test proceeds through several phases. The first phase is scoping: the client and tester agree on which systems will be examined, what objectives apply, and what depth of testing is desired. The legal framework is also agreed upon here.

Next comes reconnaissance, the information gathering stage. Testers collect data on the target systems, publicly available information, technical infrastructure, and potential attack surfaces. In the exploitation phase they then attempt to exploit identified vulnerabilities in a controlled manner and move deeper into the infrastructure. Each step is documented to ensure reproducible results.

The process concludes with a report. It lists each vulnerability with description, risk assessment, and recommended actions. A clear prioritization helps the client address the most critical gaps first. A follow-up test after remediation confirms that the measures are effective.

Black-Box, Grey-Box, and White-Box

Penetration tests differ based on the knowledge available to the testers. In a Black-Box test, the tester receives no information about the target system and approaches it like an external attacker. This method is realistic but time-consuming and does not uncover all possible pathways.

In a Grey-Box test, the tester is provided with selected information such as credentials or architectural documentation. This approach focuses the testing on specific areas and is more efficient. In a White-Box test, the tester has full insight into the source code, configuration, and architecture. This method identifies the most vulnerabilities, but it does not simulate a genuine external attack.

Distinguishing from Related Terms

Vulnerability scanning, penetration testing and red teaming are often confused, but they differ clearly in depth and purpose. A vulnerability scan is an automated process that identifies known vulnerabilities based on signatures. It is fast and repeatable, but it does not verify whether a vulnerability can actually be exploited.

In a penetration test, a human tester systematically exploits identified vulnerabilities, links multiple gaps together, and assesses the real risk. The result is a prioritized list of exploitable vulnerabilities.

Red teaming goes further. It pursues a specific objective such as gaining access to a particular system or stealing data and operates covertly. It also tests whether defenders can detect and respond to the attack. Red teaming therefore evaluates the entire defense chain, encompassing technology, processes, and people.

Legal Framework and Authorization

A penetration test is only permissible with written authorization from the system owner. Without such authorization, the same procedure constitutes a crime – unauthorized access to foreign systems is punishable, regardless of intent.

Third‑party systems such as SaaS services or cloud platforms also require the consent of the respective operator. Anyone wishing to test an application that runs on a cloud infrastructure needs permission from the cloud provider. Many providers have their own processes and forms for this.

For authorizations, the BSI’s practice guide on penetration testing offers guidance. It outlines quality criteria and helps compare providers. Tester certifications are another quality anchor. NIS2 further drives demand, as the directive requires regular effectiveness checks of security measures. A penetration test is a suitable instrument to demonstrate this effectiveness.

Frequently Asked Questions

Every question is locked. A tap unlocks the answer.

What is the difference between a vulnerability scan and a penetration test?

A vulnerability scan automatically detects known vulnerabilities based on signatures, but does not check whether they are exploitable. A penetration test exploits found vulnerabilities manually and assesses the real risk.

When is a penetration test legally permissible?

A penetration test is only permissible with written authorization from the system owner. Without such authorization, the operation constitutes a crime. For systems belonging to third parties, such as SaaS services, their consent is also required.

What distinguishes a penetration test from red teaming?

A penetration test actively seeks out exploitable vulnerabilities. Red teaming pursues a concrete attack goal and operates covertly. It also checks whether defenders can detect the attack and respond appropriately.

How often should a penetration test be conducted?

A penetration test should be conducted regularly and after major changes to the infrastructure. NIS2 requires regular effectiveness checks of security measures, for which a penetration test is an appropriate instrument.

What should be taken into account when commissioning?

The BSI Practice Guide for Penetration Tests provides guidance for commissioning. Important aspects include clear scoping, comprehensible reports with prioritization, and a follow-up test. Tester certifications serve as a quality anchor.

Editor’s Picks

Editor’s PickWhat Is NIS2? Definition, Obligations, and LiabilityEditor’s PickEDR vs XDR: Definition and Key DifferencesEditor’s PickHarden Active Directory Before the Attacker Does

More from the MBF Media Network

cloudmagazinEight Minutes to AWS Admin: How an Open S3 Bucket and an Admin Lambda Were All It TookMyBusinessFutureWhen the update itself becomes an entry point

Further reading

A magazine by Evernine Media GmbH