Penetration testing — also called pentesting or ethical hacking — is the practice of legally attacking computer systems, networks, and applications to find security vulnerabilities before real attackers do. It is one of the most in-demand and best-paid skills in cybersecurity, and it sits at the foundation of everything HOC teaches.
This guide explains exactly what penetration testing is, the different types that exist, the methodology professionals follow, the tools used at each stage, the legal and ethical framework that makes it legitimate, the career path from beginner to professional pentester, and how penetration testing differs from related concepts like vulnerability scanning and bug bounty hunting.
Whether you are a complete beginner trying to understand the field, a student preparing for your first certification, or someone exploring a career change into cybersecurity — this is your definitive starting point. Jump to methodology →
- What is penetration testing — in plain English
- Why organisations need penetration testing
- Types of penetration testing
- Black box vs grey box vs white box testing
- The penetration testing methodology — all 5 phases
- Essential tools used in each phase
- Pentesting vs vulnerability scanning — what's the difference?
- Pentesting vs bug bounty — which should you do?
- Legal and ethical considerations
- What a penetration test report looks like
- Penetration testing as a career — how to get started
- Frequently asked questions
Imagine hiring a professional locksmith to try to break into your house — using real tools, real techniques, and genuinely trying to get in — so you can find out which locks are weak before a real burglar does. That is exactly what a penetration tester does, but for computer systems.
A penetration tester (pentester) is given permission by an organisation to attack their systems using the same tools, techniques, and tactics that real attackers use. The goal is not to cause damage — it is to find vulnerabilities, demonstrate their impact, and provide a detailed report so the organisation can fix the weaknesses before a real attacker exploits them.
Penetration testing is an authorised simulated cyber attack on a computer system, performed to evaluate the security of the system.
Three words separate ethical hacking from criminal hacking:
- Authorised — you have written permission from the system owner
- Simulated — you are mimicking real attack techniques without causing real harm
- Evaluated — the goal is assessment and improvement, not damage or theft
The terms penetration testing, ethical hacking, and security testing are often used interchangeably, but there are subtle differences. Ethical hacking is the broader practice; penetration testing is a specific, structured engagement with defined scope, methodology, and a formal deliverable report.
Security tools like firewalls, antivirus software, and intrusion detection systems provide defence — but they cannot tell you whether that defence actually works against a determined attacker using current techniques. Penetration testing answers the questions that automated tools cannot:
- Can an attacker get from the internet to our customer database? How many steps does it take?
- If one of our employees clicks a phishing link, how far can the attacker move through our network?
- Are our new cloud infrastructure configurations actually secure?
- Could a disgruntled employee with low-level access escalate privileges to admin?
- Does our incident response team actually detect and respond to attacks — or would a real attacker operate undetected for weeks?
- Regulatory compliance — PCI DSS, ISO 27001, SOC 2, HIPAA, GDPR, and DORA all require regular security assessments. Non-compliance fines can exceed the cost of a pentest by orders of magnitude.
- Breach prevention — the average cost of a data breach in 2024 was $4.88 million (IBM Cost of a Data Breach Report). A pentest costing $15,000–$50,000 is a fraction of that risk.
- Cyber insurance — insurers increasingly require evidence of penetration testing before issuing cybersecurity insurance policies, and use pentest results to set premium rates.
- Third-party assurance — enterprise customers frequently require vendors to demonstrate security through annual pentest reports before signing contracts.
- Post-incident validation — after a breach, organisations use penetration testing to verify that vulnerabilities have been properly remediated and not just patched on the surface.
Penetration testing is not a single activity — it is a family of different assessment types, each targeting a specific layer of an organisation's attack surface. Understanding the different types is essential for anyone studying for certifications or preparing for a career in the field.
Tests the security of an organisation's network infrastructure — firewalls, routers, switches, VPNs, and exposed services. Divided into external (attacking from the internet, simulating an outside attacker) and internal (assuming the attacker is already inside the network, simulating a compromised employee or insider threat).
- External network pentest — attack the organisation's internet-facing assets: web servers, email servers, VPN endpoints, DNS servers, exposed RDP
- Internal network pentest — connected to the internal network, simulate lateral movement, Active Directory attacks, privilege escalation to Domain Admin
- Wireless pentest — test Wi-Fi security: WPA2 handshake cracking, evil twin attacks, rogue access point detection
Tests the security of web applications — websites, APIs, web services, and SaaS platforms. Follows the OWASP Testing Guide methodology and targets the OWASP Top 10 vulnerability categories (SQL injection, XSS, broken authentication, IDOR, SSRF, and more). This is the most common type in bug bounty programs.
- Manual testing of all application functionality — login, registration, account management, file upload, search, payment
- Testing API endpoints for authentication bypasses, broken object-level authorisation (BOLA/IDOR)
- Reviewing client-side JavaScript for sensitive data exposure and DOM-based vulnerabilities
- Testing authentication mechanisms — session management, password reset flows, MFA bypass
Tests the security of cloud environments — AWS, Azure, GCP configurations, IAM policies, storage permissions, and serverless functions. The fastest-growing pentest specialisation as organisations migrate infrastructure to cloud platforms.
- IAM misconfiguration testing — overly permissive roles, privilege escalation through IAM
- S3 bucket enumeration — publicly exposed storage with sensitive data
- Metadata service exploitation — SSRF attacks targeting cloud instance metadata
- Container and Kubernetes security — exposed dashboards, misconfigured RBAC
Tests whether employees can be manipulated into revealing credentials, granting access, or executing malware. Simulates the most common real-world attack vector — humans are consistently the weakest link in any security programme.
- Phishing campaigns — sending realistic phishing emails to employees and measuring click rates, credential submission rates, and detection/reporting rates
- Vishing (voice phishing) — calling employees pretending to be IT support, vendors, or executives to extract information or credentials
- Physical security testing — attempting to gain physical access to restricted areas (tailgating, pretexting, badge cloning)
- USB drop attacks — leaving infected USB drives in car parks to test whether employees plug them into work computers
Tests the security of iOS and Android applications — insecure data storage, weak cryptography, insecure API communication, client-side injection, and reverse engineering of application logic.
- Static analysis — decompiling APK/IPA files to review code and identify hardcoded secrets
- Dynamic analysis — intercepting and manipulating network traffic using Burp Suite
- API security testing — testing the backend APIs that mobile apps communicate with
- Local data storage — checking for sensitive data stored in cleartext on the device
Beyond the type of system being tested, penetration tests are also categorised by how much prior knowledge the tester is given. This is one of the most common interview questions for penetration testing roles.
| Type | Knowledge given to tester | Simulates | Best for | Typical cost |
|---|---|---|---|---|
| Black box | Zero. Only a target name or IP range. No credentials, no architecture docs, no source code. | An external attacker with no insider knowledge | Realistic external threat simulation, executive reporting | Highest (more time needed) |
| Grey box | Partial. May receive low-privilege credentials, network diagrams, or application documentation. | A compromised employee or a hacker who has done some recon | Most common in real engagements — best balance of realism and efficiency | Medium |
| White box | Full. Source code, architecture diagrams, admin credentials, system documentation. | An insider threat or a code security review | Thorough security review, finding deep logic flaws, software audits | Lowest per finding |
Professional penetration testers follow a structured methodology to ensure consistency, completeness, and legally defensible results. The most widely used frameworks are PTES (Penetration Testing Execution Standard), OWASP Testing Guide, and NIST SP 800-115. All share the same five core phases.
Reconnaissance then begins — gathering as much information about the target as possible using open-source intelligence (OSINT) before touching any target systems. This phase is entirely passive — no traffic reaches the target.
Critically: the pentester documents every step, taking screenshots and saving command output as evidence for the final report.
Post-exploitation techniques include: privilege escalation (local and domain), credential dumping, lateral movement to other systems, pivoting through network segments, and data exfiltration simulation.
After remediation, a follow-up retest confirms that the identified vulnerabilities have been properly fixed.
Professional penetration testers use a combination of open-source tools, commercial tools, and custom scripts. Kali Linux bundles most of the open-source tools below — it is the standard operating system for penetration testing work.
| Tool | Phase | Purpose | Free? |
|---|---|---|---|
| Nmap | Scanning | Port scanning, service detection, OS fingerprinting, NSE vulnerability scripts | Yes |
| Burp Suite Pro | Web exploitation | Web proxy, scanner, Repeater, Intruder, active web app testing | Community free; Pro $449/yr |
| Metasploit Framework | Exploitation | Exploit database, payload generation, post-exploitation, pivoting | Yes (Community) |
| Gobuster / ffuf | Enumeration | Web directory, file, and subdomain brute forcing | Yes |
| SQLMap | Web exploitation | Automated SQL injection detection and database extraction | Yes |
| Hydra | Exploitation | Online brute force against SSH, FTP, HTTP forms, RDP | Yes |
| John / Hashcat | Post-exploitation | Offline password hash cracking | Yes |
| BloodHound | Post-exploitation | Active Directory attack path visualisation | Yes |
| Mimikatz | Post-exploitation | Windows credential extraction from memory | Yes |
| Wireshark | All phases | Packet capture and network traffic analysis | Yes |
| Netcat | Exploitation | Reverse shell listener, banner grabbing, port scanning | Yes |
| theHarvester | Reconnaissance | Email, subdomain, and employee OSINT from public sources | Yes |
| Shodan | Reconnaissance | Internet-wide scanner — find exposed services and devices | Free tier available |
| Cobalt Strike | Red teaming | Commercial C2 framework for advanced red team operations | No — $5,900/yr |
| Nessus / OpenVAS | Vulnerability scanning | Automated vulnerability discovery (scanning, not exploitation) | OpenVAS free; Nessus paid |
This is one of the most commonly confused concepts in cybersecurity — and a question that appears in almost every security professional interview. The two activities look similar on the surface but serve fundamentally different purposes.
| Aspect | Vulnerability Scanning | Penetration Testing |
|---|---|---|
| What it does | Automatically scans for known vulnerabilities using a signature database. Identifies potential weaknesses. | Manually attempts to exploit vulnerabilities to confirm they are genuinely exploitable and assess real impact. |
| Human involvement | Mostly automated — a tool runs a scan and produces a list of findings. | Highly manual — a skilled professional devises and executes attacks, adapting to defences. |
| Output | A list of potential vulnerabilities with severity scores. Many may be false positives. | A confirmed list of exploited vulnerabilities with demonstrated business impact and exploitation evidence. |
| False positives | High — automated scanners regularly flag issues that are not actually exploitable in context. | Low — a pentester confirms exploitation is possible before reporting it. |
| Scope | Broad — covers all known vulnerability signatures across the target. | Targeted — focuses on finding a path to the objective (e.g., reaching the database). |
| Frequency | Weekly or monthly automated scans. | Annually, after major changes, or after incidents. |
| Cost | Low — mostly tool licensing. | Higher — skilled professionals' time. |
| Answers the question | "What vulnerabilities might exist?" | "Can an attacker actually exploit these vulnerabilities and reach our critical assets?" |
Both penetration testing and bug bounty hunting involve finding security vulnerabilities — but the structure, compensation model, and skills needed differ significantly.
| Aspect | Penetration Testing (Professional) | Bug Bounty Hunting |
|---|---|---|
| Employment | Employed by a security firm or in-house security team | Self-employed / freelance — work for yourself |
| Income model | Salary or day rate (predictable, stable) | Per-bug bounty payouts (variable, competitive) |
| Scope | Defined in writing — test only what's agreed | Defined by the program's scope page |
| Time limit | Fixed engagement (5 days, 2 weeks, etc.) | Open-ended — hunt when you want |
| Report format | Formal written report delivered to client | Submit via platform (HackerOne, Bugcrowd) |
| Types of testing | Network, web app, social engineering, cloud, physical | Primarily web application and API |
| Entry barrier | Requires experience, certs (OSCP), and references | Anyone can start immediately — no gatekeeping |
| Earning potential | $80K–$200K+ salary (experienced) | $0 to $500K+ per year (widely variable) |
| Best for | People who want stable employment and broad testing experience | People who want flexibility and to earn while learning |
The legal framework around penetration testing is something every practitioner must understand — not just to stay out of trouble, but because clients will ask about it and professional certifications test it.
- Written authorisation — a signed contract or Rules of Engagement document that explicitly authorises you to test specific systems. Verbal permission is not enough.
- Clearly defined scope — what systems are in scope, what is excluded, and what testing techniques are permitted (e.g., can you use denial-of-service tests? Social engineering?)
- Emergency contact procedures — who to call if something goes wrong. If your testing accidentally causes an outage or triggers an incident response, you must be able to immediately confirm with the client that the activity was authorised.
- Data handling agreement — what happens to any data you access during the test? Professional pentesters sign agreements not to retain, copy, or disclose client data.
- Confidentiality — pentest reports contain highly sensitive vulnerability information. They must be handled with the same care as the most sensitive data in an organisation.
- USA — Computer Fraud and Abuse Act (CFAA) — criminalises accessing computers "without authorisation or exceeding authorised access." The CFAA has been broadly applied — always ensure your authorisation is explicit and in writing.
- UK — Computer Misuse Act 1990 — three tiers of offences: unauthorised access, unauthorised access with intent to commit further offence, and unauthorised acts that impair computer operation. Even "just looking" at a system without permission is an offence.
- India — IT Act 2000 (Section 43 and 66) — covers unauthorised access to computer systems. India's CERT-In also has mandatory incident reporting requirements that affect how organisations engage pentesters.
- EU — NIS2 Directive and GDPR — organisations handling EU citizen data must demonstrate security through assessments. Pentesters accessing personal data during a test must comply with GDPR data minimisation principles.
The report is the final deliverable and the most important artefact of the entire engagement. A professional penetration test report has a standard structure that communicates findings to both non-technical executives and technical remediation teams.
- Cover page — client name, engagement dates, classification (confidential), pentesting firm name
- Table of contents
- Executive summary (1–2 pages) — written for the CISO and board. What was tested, what was the overall security posture, what are the top 3 risks that need immediate action. No technical jargon.
- Scope and methodology — what systems were tested, what testing types were used, what was excluded and why, what methodology was followed (PTES, OWASP, NIST)
- Risk summary / findings overview — a table or chart showing the number of findings by severity (Critical, High, Medium, Low, Informational)
- Technical findings (the main body) — one entry per vulnerability found, each containing:
- Finding title and CVE reference (if applicable)
- Severity rating (CVSS score + risk context)
- Affected systems / URLs
- Description of the vulnerability in plain English
- Step-by-step reproduction steps
- Evidence (screenshots, command output, request/response pairs)
- Business impact — what could an attacker do if they exploited this?
- Specific remediation recommendations (not just "patch it" but exactly how)
- Appendices — raw tool output, full scan results, methodology references
Penetration testing is one of the most sought-after and well-compensated roles in cybersecurity. It is harder to break into than SOC Analyst at entry level — most firms want 1–2 years of hands-on experience before hiring junior pentesters. But the path is clear and learnable.
TryHackMe / Linux Journey → CompTIA Security+
Foundation cert → TryHackMe / HackTheBox
Hands-on labs → eJPT / PNPT
Entry pentest certs → OSCP
★ Industry standard
- eJPT (eLearnSecurity Junior Penetration Tester) — the best beginner pentest certification. Fully hands-on (no multiple choice), costs $200, and can be passed by someone with 3 months of study. Perfect first pentest cert.
- PNPT (Practical Network Penetration Tester) — TCM Security's certification, highly respected in the industry for its realistic 5-day exam format. Very affordable (~$400) and more valued by employers than CEH for practical roles.
- CompTIA PenTest+ — vendor-neutral, DoD-approved. Good foundational cert but considered less rigorous than OSCP or PNPT for hands-on roles.
- OSCP (Offensive Security Certified Professional) — the gold standard penetration testing certification. A gruelling 24-hour hands-on exam where you must compromise 3 out of 6 machines and write a professional report within 24 hours. Required by most senior penetration testing roles. $1,499.
- OSEP / OSED / OSWE — advanced OffSec certifications covering evasion, Windows exploit development, and web app exploitation at an expert level. Post-OSCP progression.
- TryHackMe — best for beginners. Guided rooms, structured learning paths, browser-based machines. Free tier available. Start with the "Jr Penetration Tester" path.
- HackTheBox — intermediate to advanced. Realistic CTF-style machines, active community, writeups after retirement. Free starting machines available.
- VulnHub — downloadable offline vulnerable VMs. Run them locally in VirtualBox for completely offline practice.
- PortSwigger Web Security Academy — the best free resource for web application pentesting. Hundreds of labs covering every OWASP Top 10 category, designed by the creators of Burp Suite. Completely free.
- PentesterLab — web application security labs with excellent explanations of vulnerability mechanics.
- DVWA / Metasploitable 2 — deliberately vulnerable applications you can run locally. See our Kali Linux commands guide for setup instructions.
| Level | Experience | USA | UK | India |
|---|---|---|---|---|
| Junior Pentester | 0–2 years | $70,000–$95,000 | £35,000–£50,000 | ₹5–10 LPA |
| Mid-level Pentester | 2–5 years | $95,000–$130,000 | £50,000–£70,000 | ₹10–18 LPA |
| Senior Pentester | 5–8 years | $130,000–$175,000 | £70,000–£95,000 | ₹18–30 LPA |
| Principal / Red Team Lead | 8+ years | $175,000–$250,000+ | £90,000–£130,000 | ₹30–60 LPA |
| Independent Consultant | 5+ years | $1,500–$3,000/day | £800–£1,800/day | ₹50K–₹2L/day |
⚡ Start your penetration testing journey — today
- Build your foundation with our Kali Linux toolkit — master the tools every pentester uses daily. Top 20 Kali Linux commands →
- Learn Nmap inside out — network scanning is Phase 2 of every pentest. Complete Nmap tutorial →
- Start on TryHackMe — sign up free and begin the "Jr Penetration Tester" learning path tonight. tryhackme.com →
- Learn web app testing with PortSwigger Academy — completely free, the best web pentest training available. portswigger.net/web-security →
- Start bug bounty to earn while learning — find real vulnerabilities in real applications, get paid, and build your portfolio. Bug bounty beginners guide →
- Understand the CVEs you will be exploiting — know why the vulnerabilities you practise with exist and what their real-world impact is. 10 real-world CVEs explained →
Penetration testing is paying a security professional to legally try to hack your systems — using the same tools and techniques as real attackers — so you can find and fix vulnerabilities before someone does it without permission. Think of it as hiring a professional locksmith to test whether your locks can be picked, before a real burglar tries.
Penetration testing is completely legal when performed with explicit written authorisation from the system owner. Without written permission, the exact same activities constitute criminal computer fraud regardless of your intentions. Professional penetration testers always have a signed contract and Rules of Engagement before touching any system.
Ethical hacking is the broader concept — using hacking techniques for defensive, constructive purposes with permission. Penetration testing is a specific, structured form of ethical hacking with a defined scope, methodology, timeline, and formal report deliverable. All penetration testing is ethical hacking, but not all ethical hacking is a formal penetration test (bug bounty, for example, is ethical hacking but uses a different structure).
It depends entirely on scope. A small web application pentest might take 3–5 days. An external network assessment for a medium-sized company typically takes 5–10 days. A comprehensive red team engagement simulating an advanced persistent threat might run for 4–8 weeks. The report writing phase typically adds 2–5 additional days to any engagement.
Cost varies widely based on scope, type, and provider. A basic web application pentest from a boutique firm might cost $5,000–$15,000. An external network assessment might cost $8,000–$25,000. A comprehensive red team engagement from a tier-one firm can cost $50,000–$200,000+. Day rates for independent consultants in the US typically range from $1,500–$3,000 per day.
Start with eJPT (eLearnSecurity Junior Penetration Tester) or PNPT (Practical Network Penetration Tester) — both are hands-on, affordable, and respected by employers. The long-term goal is OSCP (Offensive Security Certified Professional), which is the gold standard certification required by most senior penetration testing roles. Build towards OSCP via 6–12 months of practice on TryHackMe and HackTheBox first.
Yes — penetration testing is one of the most skills-based fields in the tech industry. Most hiring decisions are based on your practical ability (demonstrated through certs like OSCP, CTF performance, and bug bounty findings) rather than academic qualifications. Many of the best penetration testers in the world are self-taught. A strong portfolio of practical work consistently outweighs a degree in hiring decisions for technical roles.
PTES stands for Penetration Testing Execution Standard. It is a community-driven framework that defines the seven phases of a professional penetration test: pre-engagement interactions, intelligence gathering, threat modelling, vulnerability analysis, exploitation, post-exploitation, and reporting. It is widely used as the methodology reference in professional engagements and is tested in certifications like OSCP and PNPT.








