Penetration testing, or known as a pentest or ethical hacking, for enterprise ICT security assessment context refers to an internal or appointed external party to perform authorised simulated cyberattack based on the pre agreed scope of ICT infrastructure, system or application asset, to evaluate the extent of the cyber exposure. Some of the tools for performing typical vulnerability assessment will be used to perform initial phases for identifying weaknesses (potential vulnerability) to determine where to focus on the penetration testing (usually involved use specialised penetration testing tools or red team tool).
Depending on the scope of the pentest engagement, it can be white box (where background information is given in advance to the tester) or black box (only basic information is given), or gray box (a combination of white and blackbox).
A professional carry penetration test can be helpful to identify an infrastructure, system or application vulnerabilities that is exploitable, and provide insight into attack vector and path for enterprise to carry out mitigation, to block, to patch, to fix any validated exploitable vulnerability to be carried out.
Depending on the country, sector and industry, some are mandatory to at least to appoint and engage a 3rd party to perform penetration testing (pentest) on a regular schedule, and after system changes for regulatory compliance.