Chapter 84 · Glossary

Penetration Testing — Glossary

Key terms for rules of engagement, the four penetration testing phases, and responsible disclosure and bug bounty programs.

Penetration Testing (Pen Testing)
A structured, authorized security assessment that simulates a real-world attack against an organization's systems, networks, or applications by performing actual exploitation of vulnerabilities. Unlike vulnerability scanning (which only identifies potential weaknesses), penetration testing attempts to confirm that vulnerabilities are exploitable, determines how far an attacker could progress, and demonstrates real-world impact. Pen testing follows defined phases: initial exploitation, lateral movement, persistence, and pivoting. It carries operational risk — exploits can crash systems — which is managed through rules of engagement established before the engagement begins. May be mandated by regulation (PCI DSS, for example) or conducted as a voluntary best practice.
Rules of Engagement
A formal written document established before any penetration testing begins that defines the scope, constraints, timing, and procedures of the engagement. Required elements: type of testing authorized (external, internal, physical, social engineering); permitted testing hours (often restricted to off-hours to protect business operations); in-scope systems (specific IP ranges, domain names, or applications that may be tested); out-of-scope systems (explicitly excluded, often production-critical or third-party systems); emergency contact information for both the testing team and the organization; and procedures for handling sensitive data discovered during the test. The rules of engagement provide the legal authorization that distinguishes a pen tester from an attacker performing the same actions.
Initial Exploitation
The first phase of penetration testing: gaining the initial foothold inside the target environment by successfully exploiting a vulnerability, weakness, or misconfiguration at the perimeter. This is typically the most challenging phase because perimeter security concentrates the organization's defensive investment (firewalls, intrusion detection, email filtering, endpoint protection). Common initial exploitation techniques: exploiting unpatched internet-facing services, phishing to deliver malware, credential brute force against exposed login pages, SQL injection against web applications, social engineering to obtain credentials, and physical access exploits (tailgating, bypassing badge readers). The outcome is a foothold — a session, shell, or position inside the network from which subsequent phases proceed.
Lateral Movement
The second phase of penetration testing: using the initial foothold to move progressively through the internal network, compromising additional systems beyond the initial entry point. Exploits a fundamental weakness of most networks: internal systems receive far less security scrutiny than perimeter systems because administrators traditionally assumed that anything inside the network is trustworthy. Common lateral movement techniques: credential theft from compromised system memory (pass-the-hash, Mimikatz on Windows), exploitation of shared folders and network shares, remote management protocol abuse (RDP, WinRM, SSH with stolen credentials), and exploitation of internally-accessible vulnerable services. Lateral movement reveals the extent to which a single breach can propagate through an insufficiently segmented network.
Persistence
The third phase of penetration testing: establishing mechanisms that maintain attacker access to the compromised environment even if the original vulnerability is patched, the initial session is detected and terminated, or the initial access point is closed. Common persistence techniques demonstrated in pen tests: creating unauthorized administrative accounts, adding backdoor credentials to existing accounts, changing or verifying default passwords the organization failed to reset, installing remote access malware (RATs, scheduled tasks connecting to command-and-control), and modifying startup services to survive reboots. From a defensive standpoint, detecting persistence requires monitoring for unauthorized account creation, service modification, and scheduled task changes — events that generate logs if logging is properly configured.
Pivot (Pivoting)
The fourth phase of penetration testing: using a compromised system as a proxy or relay to reach other systems that are architecturally isolated from the attacker's original position. The pivoting system sits in a network segment that provides connectivity to systems the attacker cannot reach directly. By routing attack traffic through the compromised intermediary, the attacker can bypass network restrictions and access isolated segments. Example: a compromised internet-facing web server in a DMZ with a database connection to an internal server; the tester routes SQL attacks through the web server to reach the internally-positioned database. Pivoting demonstrates that a single breach can provide a pathway to any system reachable from the compromised host, making network segmentation and least-privilege access critical defenses.
Responsible Disclosure
An ethical framework governing how security researchers report discovered vulnerabilities to vendors or organizations. The core principle: the researcher reports the vulnerability privately to the vendor first, giving the vendor time to develop and deploy a fix before the vulnerability is publicly disclosed. This protects users (who would otherwise be exposed to active exploitation before a patch exists) while maintaining transparency and accountability. The standard industry expectation is a 90-day coordinated disclosure window: if the vendor fails to produce a fix within 90 days, the researcher may publish the vulnerability to create pressure for remediation. Responsible disclosure balances the researcher's interest in transparency against the user's interest in not being exposed to unmitigated vulnerabilities.
Bug Bounty Program
A formal program operated by a software vendor or organization that offers financial rewards to security researchers who discover and responsibly disclose vulnerabilities in the defined scope. Bug bounties align incentives: researchers can legally test in-scope systems and earn compensation; vendors gain access to a global community of security testers that exceeds their internal capacity. Reward amounts vary by severity: critical vulnerabilities often earn thousands to hundreds of thousands of dollars; informational findings may earn nothing. To receive a bounty, researchers must document the vulnerability fully (reproduction steps, proof of concept, severity assessment), report it privately through the defined channel, and refrain from exploitation beyond demonstration or unauthorized disclosure. Google, Microsoft, Meta, and Apple operate major programs.
Controlled Information Release
The coordinated process used in responsible disclosure to release vulnerability information only after a patch is available. The sequence: (1) researcher discovers and privately reports the vulnerability to the vendor; (2) vendor investigates, develops a fix, tests it, and prepares deployment; (3) vendor distributes the patch; (4) vendor and researcher publicly disclose the vulnerability details and the CVE simultaneously, so users can apply the fix immediately upon learning of the risk. This process prevents the scenario where an attacker learns about a vulnerability from public disclosure and exploits it against users who have not yet patched. The controlled release benefits all parties: users get protection at the moment of disclosure, vendors get time to fix, researchers get credit.
Backdoor
A persistence mechanism installed by an attacker (or penetration tester) on a compromised system that provides continued access to the system independently of the original exploitation path. Backdoors may take many forms: unauthorized user accounts with administrative privileges; modified or new scheduled tasks that run malicious code on a timer; installed remote access tools (RATs) that beacon out to attacker-controlled infrastructure; modified startup scripts or services that execute attacker code on every boot; and web shells placed on compromised web servers. The distinguishing characteristic of a backdoor is that it survives independent of the original vulnerability: even if the vulnerability is patched and the initial access path is closed, the backdoor provides an alternative entry point.
Pass-the-Hash
A lateral movement technique that allows an attacker to authenticate to a remote system using a captured password hash rather than the plaintext password. Windows systems store password hashes in memory (the LSASS process) and use those hashes for authentication in NTLM authentication protocols. An attacker who gains administrative access to one Windows system can extract these hashes (using tools like Mimikatz) and use them directly in authentication attempts against other systems on the network — without ever cracking them to recover the plaintext password. Pass-the-hash is one of the most effective lateral movement techniques in Windows environments and highlights the risk of reusing passwords across systems and the importance of Credential Guard and Protected Users security group membership as defenses.
In-Scope vs. Out-of-Scope Systems
A critical distinction defined in the rules of engagement before penetration testing begins. In-scope systems are explicitly authorized targets: specific IP addresses, IP ranges, domain names, or application instances that the testing team may probe, attack, and attempt to exploit. Out-of-scope systems are explicitly excluded: the testing team must not probe or interact with them, even if doing so would expose a vulnerability or advance the engagement. Out-of-scope systems are often excluded because they are production-critical, belong to third parties, are shared infrastructure, or are outside the organization's control. Touching an out-of-scope system, even accidentally (for example, by following a pivot path that leads to an excluded network segment), constitutes a rules-of-engagement violation and potentially unauthorized computer access.