Unlike traditional security assessment or vulnerability assessment, penetration testing takes security review to another level. Normally, a vulnerability assessment or test is performed to determine if a particular security problem may exist and to what degree. Vulnerabilities identified as "existing" may not in fact exist or may pose little or no threat to your environment. Determining the impact a vulnerability or configuration problem might have on a system can be much more complex and involved.

Penetration testing is a much more aggressive and invasive procedure and does pose certain risks to the environment. However, if you are truly looking to determine the risk presented by certain vulnerabilities, a penetration test can reveal this. For instance, certain vulnerabilities or configuration errors may not really exist although they show up on a report. Many security problems appear to be viable even after they have been addressed. Instead if documenting that a vulnerability "may" result in acquisition of user ID and passwords allowing unauthorized network access, a penetration test attempts to achieve the result or exploit the vulnerability, providing proof and validation of the security hole. This is one of the best ways to determine to what degree you are at risk or what impact there will be on your organization.

Below is a list of many of the steps and tasks associated with Internet and internal penetration testing.

• Web / Public Information Discovery;
• Non-invasive Discovery;
• Stealth Investigation;
• Noisy Investigation;
• Host & Application Discovery;
• Develop Logical Network Diagram;
• Reverse Attacks;
• Host Penetration;
• Password Acquisition & Cracking;
• Privilege Escalation;
• Creation of Reports;
• Report Presentation;

All details of the above tasks are provided in proposals for Penetration Testing services. Internal penetration test activities include many of the above an more.