What do we mean by 'Penetration Test'?

A guide to the typical options available for security asessments, looking and the pros and cons of each type

I believe it is our job in the industry not just to 'do security' for our customers but to inform, so that they can make better risk-based decisions. With that in mind I have defined four different levels of security assessment, each with their appropriate uses, that organisations can employ:

1. Vulnerability assessment

A vulnerability assessment makes use of automated tools to identify technical vulnerabilities in systems, either through their configuration or maintenance. These vulnerabilities are found by testing for known conditions, and are typically related to outdated software or default configurations that can be actively exploited.

  • Advantages: Broad coverage; minimal resources; simple fixes
  • Disadvantages: Risks are generic and without business context; time consuming to process results; likely to contain false-positives

2. System-driven penetration test

A system-driven penetration test builds on the vulnerability assessment by performing additional manual security testing. This involves exploring any exploitable vulnerabilities further to compromise the system or information exposed, as well as identifying whether any access gained could be used as a pivot to target further systems.

  • Advantages: Verification of vulnerabilities and ease of exploitation; enables compliance tracking and metrics
  • Disadvantages: Limited business context; full coverage is resource intensive; attacks may not be realistic

3. Goal-driven penetration test

A goal-driven penetration test looks not at IT systems but at attacker goals. The penetration test then seeks to achieve these goals through various means, identifying which attack paths are viable to achieve such a goal and which are not.

The scope is much broader (usually the entire organisation) and supported with knowledge of the organisation, but provides a more realistic view of how an attack would be conducted.

  • Advantages: Identifies real attack paths, enumerates business impact
  • Disadvantages: Attacks are conducted by ‘shortest path’ and may not cover all systems; does not assess detection and response capabilities

4. Targeted Attack Simulation

A targeted attack simulation looks to achieve the same objectives as the goal-driven penetration test but is conducted in line with how a real cyber-attack would occur.

All stages of an attack, from target enumeration through to post-exploitation and exfiltration of data are executed. Acting with a degree of stealth allows the organisation to determine not only if an attack is possible, but whether its capabilities are sufficient to detect and respond to the attack within a reasonable time frame.

  • Advantages: Highlights detection and response capabilities; techniques used are aligned with the most likely threat actors
  • Disadvantages: Resource intensive




As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
We are certified in the ISO 9001 quality management system (QMS) in the UK, ensuring reliable delivery of our products and services.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.