Skip to main content
Specialized Testing
DEFINITION

What is Penetration Testing?

Penetration testing (pentesting) is an authorized, simulated attack on a system performed to find and exploit security vulnerabilities the way a real attacker would, demonstrating actual impact rather than just listing potential weaknesses.

Start a Free Mock Interview

Free to start · 7-day trial on paid plans

IN DEPTH

In depth.

Penetration testing goes beyond finding vulnerabilities, it tries to exploit them, safely and with permission, to show what an attacker could actually achieve. A pentester chains weaknesses together, escalates privileges, and reaches sensitive data or control, then reports the path and the impact so the organization can fix what matters most.

It differs from automated vulnerability scanning, which lists potential issues but does not prove exploitability or business impact. Pentesting is more manual, creative, and adversarial; scanning is broad and automated. Mature programs use both: scanning for continuous coverage, pentests for depth and real-world validation.

Pentests vary by knowledge level, black-box (no internal information, like an outside attacker), white-box (full access to source and architecture), and gray-box (partial knowledge), and by scope, web apps, networks, APIs, mobile, cloud, or social engineering. They are usually time-boxed engagements governed by a clear rules-of-engagement agreement, and authorization is non-negotiable: unauthorized testing is illegal.

WHY IT MATTERS

Why interviewers ask about this.

For security-aware QA and AppSec-adjacent roles, interviewers expect you to distinguish penetration testing from vulnerability scanning and to understand black/white/gray-box variants. Emphasizing authorization and demonstrated impact signals you understand security testing responsibly.

EXAMPLE

Example scenario.

A company hires a pentester for an authorized web-app engagement. Starting black-box, the tester finds an injection flaw, uses it to read a configuration file, recovers database credentials, and accesses customer records, then documents the full exploit chain and impact so the team can prioritize fixes, all within an agreed scope and rules of engagement.

TIP

Interview tip.

Define penetration testing as authorized, simulated attacks that exploit vulnerabilities to demonstrate real impact, and contrast it with vulnerability scanning (which only lists potential issues). Mention black/white/gray-box types and stress that authorization and scope are mandatory.

FAQ

Frequently asked questions.

What is the difference between penetration testing and vulnerability scanning?

Vulnerability scanning is automated and lists potential weaknesses without confirming they are exploitable. Penetration testing is largely manual and actively exploits weaknesses to prove real impact and chain them into realistic attacks. Scanning gives breadth; pentesting gives depth and validation.

What are black-box, white-box, and gray-box pentests?

Black-box: the tester has no internal information, simulating an outside attacker. White-box: full access to source and architecture for thorough coverage. Gray-box: partial knowledge (e.g., a user account), balancing realism and efficiency. The choice depends on goals and time.

Related Terms

Explore related glossary terms to deepen your understanding.

Security TestingSecurity testing is the process of identifying vulnerabilities, threats, and risks in a software application to ensure that data and resources are protected from potential attacks and unauthorized access.
Fuzz TestingFuzz testing (fuzzing) is an automated technique that feeds large volumes of malformed, unexpected, or random input to a program to find crashes, hangs, memory errors, and security vulnerabilities.
Black-Box TestingBlack-box testing evaluates software through its inputs and outputs against requirements, without any knowledge of the internal code or structure, the tester treats the system as an opaque box.
Static TestingStatic testing finds defects without executing the code, through reviews of work products (requirements, design, code) and automated static analysis, catching issues earlier and more cheaply than running the software.

Related Resources

Dive deeper with these related interview prep pages.

OWASP ZAP Interview QuestionsSecurity Testing Interview QuestionsSecurity QA Interview Prep
FREE TOOLS  /  no signup

Free QA career tools, no account needed

Instant and private, everything runs in your browser. Try them before you sign up.

QA Resume Checker

Instant 0-100 score on automation keywords, impact, and ATS formatting.

QA Cover Letter Generator

A tailored 3-paragraph QA cover letter from your resume and a job post.

QA Application Tracker

Drag-and-drop kanban to track every QA application from Applied to Offer.

QA Take-Home Test Generator

A realistic take-home assignment with a scenario, tasks, and a rubric.

QA LinkedIn Headline Generator

A recruiter-searchable headline, About section, and skills list.

QA STAR Story Builder

Structure a QA behavioral answer with the STAR method and instant checks.

QA Bug Report Generator

Build a clean, reproducible bug report for Markdown, Jira, or plain text.

Boundary Value Analysis Generator

Generate boundary value and equivalence partitioning test cases from a range.

QA Metrics Calculator

Calculate DRE, defect leakage, defect density, and pass rate with interpretation.

QA Test Plan Generator

Build a structured test plan (scope, approach, criteria, risks) in Markdown.

Browse all free QA tools
EXEC.NOW

Ready to Ace Your QA Interview?

Practice explaining penetration testing and other key concepts with our AI interviewer.

Join 1,200+ QA engineers already practicing with AssertHired.

Start your free QA interview
FREE.TO.START  ·  7.DAY.TRIAL ON PAID PLANS
Written by Aston Cook, Senior QA EngineerLast updated May 2026