Home > Cybersecurity glossary > Pentest (penetration testing)

Pentest (penetration testing)

A pentest is an intrusion test carried out by a cybersecurity expert (called a pentester or ethical hacker) which attempts to infiltrate an organisation's computer system to detect exploitable security flaws.

L’objectif est d’évaluer la robustesse des défenses et de corriger les vulnerabilities avant qu’elles ne soient exploitées par de véritables pirates informatiques.

 

👉 Types of pentests

There are several types of pentest, depending on the level of information available to the pentester:

  • Pentest in a black box the pentester has no prior information about the target system
  • Pentest in a grey box the pentester has partial information on the system
  • Pentest in a white box the pentester has full access to system information, including source code

 

There are more specific types of pentests:

  • Pentesting web applications
  • Pentesting internal networks
  • API Pentest
  • Pentesting connected objects (IoT)

 

Google - Noto Color Emoji 15.0 (Animated) How a pentest works

A pentest generally involves the following steps:

  1. Acknowledgement information gathering on the target.
  2. Cartography Inventory of information system assets.
  3. Vulnerability scanning analysis of potential weaknesses.
  4. Operating : an attempt to exploit the vulnerabilities detected
  5. Elevation of privileges administrator rights
  6. Propagation : extension of the attack to other parts of the system
  7. Cleaning restoration of the system to its initial state
  8. Report documentation of results and recommendations

 

🛠️ Tools used

Pentesters use a variety of specialist tools, including :

  • Burp Suite
  • Kali Linux
  • Metasploit
  • Nmap
  • Wireshark
  • John the Ripper
  • Hashcat
  • SQLmap...

👉 Examples

Here are a few examples of what a pentester could test:

  • Attempting to bypass the authentication of a web application
  • Exploiting configuration flaws in a server
  • Carry out an attack by denial of service (DoS)
  • Testing the strength of user passwords
  • Analyse the security of the company's Wi-Fi network

 

📈 Trends

  • Pentest as a Service (PtaaS) is emerging as a solution for organisations that have to carry out a large number of penetration tests each year.
  • The use of AI and machine learning in pentests
  • Increased pentesting in cloud environments
  • Growing interest in social engineering tests

 

 

📊 Figures and statistics

🇫🇷 In France

  • According to theANSSIAround 80 % of large French companies carry out regular pentests.
  • The average cost of a pentest is between €5,000 and €30,000, depending on its scope
  • The sectors with the highest demand are finance, healthcare and industry

 

🌍 Worldwide

  • The global pentest market is valued at around 1.7 billion dollars
  • Estimated annual growth from 13 % to 16 %
  • More than 50 % of companies carry out at least one pentest a year
  • The most frequently discovered vulnerabilities remain :
    • Poor authentication management (almost 70 % tests)
    • Rifts XSS and injections (approximately 60 %)
    • Incorrect server configuration (55 %)

Sources: ANSSI, HackerOne annual report, Portswigger studies on web vulnerabilities, Pentest-standard.com report.

 

 

Towards the ORSYS Cyber Academy: a free space dedicated to cybersecurity