Term · 11. Information Security Properties
Penetration Test Pentest
Definition
Penetration Test (Pentest) — security assessment method via simulating attacks under controlled conditions. Types: black-box (no system knowledge), white-box (full source code/documentation access), grey-box (partial information). Phases: reconnaissance → scanning → exploitation → post-exploitation → reporting.
- Standards & regulations
-
- NIST SP 800-12 Rev. 1 «Penetration testing: A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of a system.»
- NIST SP 800-53 Rev. 5 «Penetration testing: A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system.»
- NIST SP 800-53A Rev. 5 «Penetration testing: A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system.»
- CNSSI 4009-2015 «Penetration testing: A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system.»
- NIST SP 800-137 «Penetration testing: A test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals) and working under specific constraints, attempt to circumvent »
- NIST SP 800-115 «Penetration testing: Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration»
- NIST SP 800-152 «Penetration testing: Testing that verifies the extent to which a system, device or process resists active attempts to compromise its security.»
- NIST SP 800-160 Vol. 1 Rev. 1 (from ISO/IEC 19989-3:2020) «Penetration testing: Testing used in vulnerability analysis for vulnerability assessment, trying to reveal vulnerabilities of the system based on the information about the system gathered during the r»
- Sources
-
- NIST SP 800-115 — Technical Guide to Penetration Testing primary source
Related terms
-
Non-Human Identity (NHI)
Identities for service accounts, API keys, OAuth client secrets, machine certificates, workload identities (AWS IAM role …
-
Continuous Authentication
Authentication paradigm verifying user identity continuously throughout a session, not just at login. Uses behavioral bi …
-
Identity Recovery (IR)
Ability to restore identities and access entitlements after a destructive event — ransomware, mass account compromise, m …
-
Remediation (Rem)
Action taken to correct an identified identity risk or policy violation — disable orphan account, revoke excessive entit …
-
AI Agent Identity
Identity assigned to an autonomous AI agent acting on behalf of a human or workflow. Distinct from human identities (wit …
-
Audit Trail
Chronological record of identity events — authentication, authorization decisions, provisioning actions, configuration c …