Penetration testing is the practice of mounting authorized, simulated attacks against a system in order to find weaknesses that a real attacker could exploit, and to demonstrate their impact, before a genuine adversary does. It is sometimes called “ethical hacking,” and it is conducted with the explicit permission of the system owner.
NIST Special Publication 800-115, the “Technical Guide to Information Security Testing and Assessment,” is a primary reference for this discipline. NIST states the guide’s purpose is to “assist organizations in planning and conducting technical information security tests and examinations, analyzing findings, and developing mitigation strategies.” It treats penetration testing as one of several technical assessment techniques, alongside vulnerability scanning and review, and emphasizes documenting both the benefits and the limitations of each method.
For web applications specifically, the OWASP Web Security Testing Guide (WSTG) provides a detailed methodology. OWASP describes it as a resource that “provides a framework of best practices used by penetration testers and organizations all over the world,” organizing individual tests under standardized identifiers (such as WSTG-INFO-02) so that coverage can be tracked systematically.
What distinguishes penetration testing from automated scanning is the human element: a tester chains together weaknesses, reasons about business logic, and actually demonstrates exploitation, rather than simply flagging potential issues from a checklist. A scanner might report a suspicious endpoint; a penetration tester proves whether it can be turned into a real compromise, and shows the defender exactly what an attacker would gain.