Penetration testing
Penetration testing is an authorised, controlled attack on IT systems, applications or networks that aims to uncover exploitable security gaps before real attackers can abuse them.
A penetration test (pentest) is a targeted, pre-authorised simulation of a real cyberattack against defined IT systems, web applications, networks or cloud environments. Specialised testers, often called ethical hackers, use the same techniques as genuine attackers to not merely identify weaknesses but actively exploit them, proving how exploitable they really are and what damage they could cause. Unlike a purely automated vulnerability scan, a penetration test therefore delivers a reliable statement on whether a theoretical gap actually leads to a compromise in practice.
Methodologically, penetration tests follow established standards such as the German BSI penetration testing guide, the OWASP Testing Guide for web applications and the Penetration Testing Execution Standard (PTES). They are typically classified by the tester's level of prior knowledge: black box (no knowledge), grey box (partial knowledge, for example user accounts) and white box (full access to architecture and source code). A test usually runs through the phases reconnaissance, vulnerability identification, exploitation, post-exploitation and reporting. A written engagement with a clearly scoped target is always a prerequisite, since intruding into systems without consent would be a criminal offence under Section 202a et seq. of the German Criminal Code.
In the context of information security and compliance, the penetration test is a key tool for verifying the effectiveness of technical safeguards. The NIS2 Directive and its national transposition oblige essential and important entities to take measures to assess the effectiveness of their risk management, which in practice includes regular security reviews and penetration tests. ISO/IEC 27001 and the BSI IT-Grundschutz likewise expect a continuous review of controls. The final report, with prioritised findings, risk ratings and remediation recommendations, also serves as evidence for auditors, supervisory authorities and senior management.
Legal Basis
NIS2 Directive (EU) 2022/2555 Art. 21; ISO/IEC 27001; BSI IT-Grundschutz; OWASP Testing Guide; Section 202a et seq. German Criminal Code (legal framework)
Practical Example
A mid-sized mechanical engineering firm qualifies as an important entity under NIS2 and operates a new customer portal. Before going live, the information security officer commissions a grey-box penetration test of the portal and its API. The testers find an exploitable flaw that lets a normal customer account read other customers' order data. The finding is rated critical, fixed before go-live and verified in a re-test. The final report goes into the controls documentation and serves as proof of effectiveness in the next ISO 27001 audit.