Skip to main content
Move the World.

When it comes to organizational cybersecurity, sometimes the only way to know your weaknesses is to exploit them. This can be accomplished through a unique form of social engineering – known as penetration testing – which exposes a system's biggest vulnerability: the people operating it.

Researchers have demonstrated that some of the most successful breaches aren't carried out by sophisticated cyber attacks against the technology itself. Surprisingly, hackers can often get further in obtaining valued information with just a clipboard and a smile. That's why penetration testing is such a valuable exercise.

What Is Penetration Testing? 

Penetration testing is a form of ethical hacking. Organizations use penetration tests to identify and correct security weaknesses in their computer systems, networks, and applications.

In pen testing, the good guys try to expose potential problems before the bad guys get the chance to.

Each individual organization has its own set of security risks, so no two penetration tests are exactly the same. But the primary structure for the process involves gathering information about the organization's weaknesses, identifying potential entry points, and attempting a break in.

In short, the good guys try to expose potential problems before the bad guys get the chance to. Think of Nicolas Cage stealing the Declaration of Independence in the film National Treasure. He didn't do it because he wanted to; he did it to protect it.

The same concept reigns true when it comes to penetration testing. Information is collected about security weaknesses and then passed along to the organization's management team, ensuring that strategic provisions can be made to dispel any chance of a future break in. 

How Is a Pen Test Performed? 

Ideally, a penetration test (also referred to as a "pen test") is performed once a year by a trained white hat hacker – someone who uses their hacking abilities for good. These ethical hackers use the same methods of breaching as black hat hackers (the bad guys), with one key distinction: they're hired by the owner of the system and perform the attack with permission.

Pentesters typically use automated tools, such as Nmap and Wireshark, that quickly scan software for vulnerabilities that could undermine entire systems. Many of these tools also categorize vulnerabilities based on their severity and generate detailed logs that can be used to improve security.

There are several types of simulated attacks that can be run. In targeted testing, the organization's IT team works in tandem with the pentester and a "lights on" approach is used – everyone in the organization can see the test in action.

Then there are blinds tests, where only one or two people in the entire organization are aware that a test is being conducted. This can be taken further by performing a "black box test," where the tester doesn't receive any helpful information from the organization in advance, such as IP addresses.

Tests can be either internal or external. External tests are geared toward an organization's visible assets, such as their email and web servers. Internal tests mimic threats from the inside that may come from users with access privileges.

Each of these techniques put employees tasked with protecting cyber systems to the test. Once they're completed, the real work can begin. 

A Day in the Life of a Pentester 

Pentesters aren't dressed up like James Bond in a tuxedo, somersaulting under lazer beams and ducking behind walls. They tend to be normal men and women wearing street clothes or suits, blending into the crowd like just another average Joe.

Jayson Street is one of them. A white hat hacker who uses a variety of techniques to expose systems' vulnerabilities, Street has been a master penetration tester for years. He's robbed banks in Beirut, compromised insurance agencies in Boston, and even hacked the U.S. Department of the Treasury.

"During a job, I will spend the first two days being the worst thing that has ever happened to this business or company."

Jayson Street

You name it, Jayson Street has probably broken into it. And for most of his jobs, he's worn jeans and a sweatshirt. He's one of the best-known penetration testers among businesses and organizations all over the globe, using anything from bash bunnies to rubber duckies and honeypots to pineapples as his "office equipment."

But there's something different about Street that makes him unique in the pen testing field. Instead of simply writing up a report detailing the vulnerabilities exposed, like many other pentesters, he takes it a step further. By the end of a job, Street hopes to actually get caught so that he can directly educate those he's compromised.

"During a job, I will spend the first two days being the worst thing that has ever happened to this business or company," he explains, "but then on the last day I'll actually try to get caught. And I'm one of the only people that will take it that far, because I want to talk to every single person I've compromised, tell them what went wrong, and educate them on what to do in the future."

Street hopes to actually get caught so he can directly educate those he’s compromised.

Street is on a mission to stop criminal hackers with education. His work has not only helped countless businesses around the world, but also the individuals he interacts with, by teaching them about the threats that could compromise their home life.

He believes in the power and effectiveness of penetration testing, because he's seen it work first-hand. "One of the best engagements I've ever been on was this year," says Street. "I'd pen tested the company the year before, and this year, they caught me. Several times. That shows me that my job I did last year worked."

Street is proof that hacking can be used for good. While it may come to many organizations as a shock how easily he can penetrate their system with a few fibs and a USB drive, it's better to expose security problems before a bad actor gets the chance.

"When you're living in a dumpster fire, you've got two choices. Go get marshmallows and watch it burn, or try to put it out," Street describes. "That's what motivates me. Not just showing where it's broken, but showing people how to make it better."

Coded: Season 3

There's an invisible war being waged online, but a new generation of hackers is rising up to fight back. Presented by Tomorrow Unlocked, this new season of Coded takes us from farms to space to meet the people using technology to change the world.

Watch more stories of technology creating a better future on the Tomorrow Unlocked YouTube channel.

More From Coded

A new generation of hackers is rising up
Coded
Nico Sell Thinks Hackers Can Be a Force for Good
Nico Sell
Coded
Nico Sell Thinks Hackers Can Be a Force for Good
After criminals hijacked the term, Sell is on a mission to change our perception of hackers.
By Michael O'Shea

After criminals hijacked the term, Sell is on a mission to change our perception of hackers.

Digital Detectives
Hackers Find Missing People for Fun
Hackers Find Missing People for Fun
Watch Now
Digital Detectives
Hackers Find Missing People for Fun
This search and rescue expert discovered that many missing people had nobody looking for them. Then he had an idea: what if hackers made a game out of finding missing people through the internet?
Watch Now

One unfortunate truth that anyone involved in a missing person case quickly learns is that there are more missing people in the world than there are available resources to find them. The first few days after a person goes missing are the most crucial for finding them safe and sound. However, since missing people tend to turn up on their own, these cases are initially given low priority. The exception is if there's a strong...

Hacking for Good
White Hat Hackers are Defending Hospitals From Rising Cyber Attacks
cyber attacks
Hacking for Good
White Hat Hackers are Defending Hospitals From Rising Cyber Attacks
Criminals are exploiting COVID-19 to launch cyber attacks. These volunteers have grouped together to fight back.

Criminals are exploiting COVID-19 to launch cyber attacks. These volunteers have grouped together to fight back.

Coded
The Hackers Exposing Government-Wide Crime and Corruption
The Hackers Exposing Government-Wide Crime and Corruption
Coded
The Hackers Exposing Government-Wide Crime and Corruption
Displaying the power of unique technological abilities combined with dogged investigative journalism
By Michael O'Shea

Displaying the power of unique technological abilities combined with dogged investigative journalism

Coded
What We Mean When We Talk About Hacking
What We Mean When We Talk About Hacking
Coded
What We Mean When We Talk About Hacking
We've all heard it before: "I was hacked!" But that can mean a lot of things. We take a look at some of the big ones.
By Mike Riggs

We've all heard it before: "I was hacked!" But that can mean a lot of things. We take a look at some of the big ones.

Computer Science
Is Quantum Hacking the Biggest Threat to Encryption?
Quantum Hacking
Computer Science
Is Quantum Hacking the Biggest Threat to Encryption?
While some security experts prepare for quantum hacking, others argue that the EARN IT Act is the threat to encryption we need to address right now.

While some security experts prepare for quantum hacking, others argue that the EARN IT Act is the threat to encryption we need to address right now.

Hacking for Good
DEF CON Hackers Compete to Hijack a Satellite in Orbit
hacking satellites
Hacking for Good
DEF CON Hackers Compete to Hijack a Satellite in Orbit
DEF CON’s Space Security Challenge 2020 tasked teams with hacking satellites. The grand prize? Nothing less than the moon.

DEF CON’s Space Security Challenge 2020 tasked teams with hacking satellites. The grand prize? Nothing less than the moon.

DIY Science
Hackers Build a DIY Satellite Tracker to Eavesdrop on Space
satellite tracker
DIY Science
Hackers Build a DIY Satellite Tracker to Eavesdrop on Space
The NyanSat guided challenge asks hackers to build a satellite tracker, making low-earth-orbit satellites more accessible.

The NyanSat guided challenge asks hackers to build a satellite tracker, making low-earth-orbit satellites more accessible.

Coded
Coded Trailer
Coded Trailer
Watch Now
Coded
Coded Trailer
Meet the programmers on the frontlines of the war over security and privacy.
Watch Now

There’s an invisible war being waged. Foreign governments are hacking major corporations. Major corporations are collecting massive amounts of consumer data. And the NSA is listening to everything. But a new generation of programmers armed with powerful technology is rising up and fighting back.