A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious cracker. The process involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.*

Black Box vs. White Box
Penetration tests can be conducted in several ways. The most common difference is the amount of knowledge of the implementation details of the system being tested that are available to the testers. Black Box Testing assumes no prior knowledge of the infrastructure to be tested, and the testers must first determine the location and extent of the systems before commencing their analysis. At the other end of the spectrum, White Box Testing provides the testers with complete knowledge of the infrastructure to be tested, often including network diagrams, source code and IP addressing information. There are also several variations in between, often known as Gray Box Testing.*

The relative merits of these approaches are debatable. It is argued that black box testing most closely simulates the actions of a real cracker, however this ignores the fact that any targeted attack on a system most probably requires some knowledge of the system, and any insider attacker would be in possession of as much information as the system owners. In most cases it is preferable to assume a worst-case scenario and provide the testers with as much information as they require, assuming that any determined attacker would already have acquired this.*

In practice, the services offered by penetration testing firms range from a simple scan of an organization's IP address space for open ports and identification banners to a full audit.*