The objective of a penetration test is the assessment of preferably all systems and applications and services running within a predetermined scope, for example the computer network of a company.
While trying to compromise these systems (coll. “to hack”), the security expert leverages all those tools and methods that a real attacker would use to gain unauthorized access and cause damage.
In contrast to automated-only vulnerability scans, a proper penetration test requires - besides manual execution - a decent amount of preparation to define goals and requires post-processing of the results to effectively close the discovered vulnerabilities.
Especially the latter often requires not only a purely technical improvement, but also an organizational rethinking that counteracts and prevents future security holes.
Even then, a penetration test has to be understood as a snapshot rather than a permanent seal of approval due to the fact that even small changes in tested components or a newly discovered vulnerability (“zero day”) can render a system vulnerable again.
The renowned cryptography expert Bruce Schneier defined the basic principle for understanding modern security as: “ … a process, not a product.”