What is the main purpose of penetration testing

Purpose of penetration testing

The purpose of a penetration test is to uncover vulnerabilities that can then be fixed. There are many attack surfaces that can be used by threat agents (hackers), including software and system bugs, coding errors, poor passwords and bad security practices in general. Many of these can be rectified simply by updating everything regularly, but often people don’t realise exactly what that means. Here’s an example. There is a LOT more to it than this, but you’ll get the idea:-

You need to use a website securely to do some banking, how can you make sure it is secure?

Let’s start at your end


  • Who can see over your shoulder?
  • Have you chosen a good password for the computer?
  • Have you chosen a good password for the bank?
  • Who else knows your passwords?
  • Have you thought about the Website you’re going to use; how do you know it’s legitimate?

Your Hardware

  • Who does the computer you are using belong to? What can they see?
  • Is your keyboard secure? Some wireless & wired keyboards can be ‘tapped’.
  • How old is the BIOS? Are there vulnerabilities in it?

Your Browser

  • Is the browser secure and up to date? Or could there be vulnerabilities in it?
  • Are there any plug-ins working in the background? What are they doing?
  • Is the browser talking directly to the bank? Or is it going somewhere else first?

Your Operating System

  • Does the operating have any vulnerabilities? How do you know?
  • What are all those services and programs doing? Are they safe? Or do they have vulnerabilities?
  • Who or what else is connected to the operating system? What access do they have?

Your Network

  • Is your wireless connection secure? How do you know? Can it be eavesdropped?
  • Is the router secure? Does it have a good admin password? Are there other users that may not?
  • Does the router/firewall software have any vulnerabilities in the code?
  • Does the router/firewall have any vulnerabilities in the firmware?

The Internet

  • Where does your data go when it leaves your router? Is it safe? Who’s listening?
  • Is the traffic encrypted? Is it encrypted well enough? Who can decrypt it?

The Website

  • Does the Website have any errors in the code? How do you know?
  • Is the Website using third-party plug-ins that are safe? Are they up-to-date?
  • What language is the website using? Is that up to date?

The Web Server

  • What webserver is hosting the site? Are there vulnerabilities in the code?
  • Who has access to the web server? What are their passwords like?

The Server O/S

  • What operating system is it running on? Is that error-free?
  • What else is running on the server? Is that safe?
  • Who has access to the server? By what means?

The Database Server

  • The web server will connect to a database. Is it safe, patched and up to date?
  • What else is running on the database server?
  • Who has access to it?

The Database Server Operating System…
The Hardware…
The Network…

What does penetration testing involve?

The job of a pentester is to look at every element in the chain to figure out which parts of the system might be susceptible to attack. In the example above a pentester would discover as much about the entire process as possible, right from what the browser looks like, to what server the database runs on. In virtually all cases this is done by utilising already known vulnerabilities, which is why keeping everything as up to date as possible is so important. They will essentially ask some of the questions above and use special tools to extract some of the information. Sometimes pentesters work in teams and sometimes they work alone. The goal of a pen-test differs depending on the circumstances i.e. often the goal is to ‘gain root’, which means to hack an account with full administrative privileges, but sometimes the goal is just to try to extract information that shouldn’t be visible.

Tailored Protection


Trusted Expertise


24/7 Support


Easy Compliance


Latest Articles

Cyber Essentials – Take data security seriously

Cyber Essentials – Take data security seriously

Cyber Essentials Service Cyber essentials is a great way to prove to your customers that you take your data security seriously and is a great ‘badge of honour’ to display. Unity Metrix is an IASME accredited Certification Body for Cyber Essentials We can help to:...

read more
Acunetix web vulnerability scanner

Acunetix web vulnerability scanner

How Acunetix Works Acunetix works in the following manner: Acunetix DeepScan analyses the entire website by following all the links on the site, including links which are dynamically constructed using JavaScript, and links found in robots.txt and sitemap.xml (if...

read more
Do I need a penetration test?

Do I need a penetration test?

Do I need a penetration test? If you have a website that takes information about users… If you have a website that takes credit cards… If you have an internal system that shares personal information with external bodies… If you develop systems that will hold personal...

read more
How do you perform a vulnerability scan?

How do you perform a vulnerability scan?

How do you perform a vulnerability scan? A vulnerability scan is performed by a piece of software that resides either on a system inside the network, or more often on a cloud service. Modern scanners are very powerful and have a lot of automation built-in, so for a...

read more
Vulnerability scanning

Vulnerability scanning

What does vulnerability scanning do? Vulnerability scanning is the process of scanning software and systems for known vulnerabilities. A vulnerability scanner will maintain and refer to a massive database of known vulnerabilities in order to compare and classify...

read more

Get in Touch

Have any questions or need assistance? Fill out the form below and one of our helpful and friendly cyber security experts will get back to you promptly.