You may be asking yourself, what is a penetration test? This can be defined as follows: "A penetration test subjects a system to the real-world attacks selected and conducted by the testing personnel. The benefit of a penetration test is that it identifies the extent to which a system can be compromised before the attack is identified and assesses the response mechanism's effectiveness. Because a penetration test seldom is a comprehensive test of the system's security, it should be combined with other monitoring to validate the effectiveness of the security process."
When working with a customer on a penetration test, one or more "scenarios" are designed, approved, then executed. Each scenario is an end-to-end test that carries a defined goal, a set of parameters, and a procedure to cover any event that may occur as a result of executing the scenario. The reasons for putting so much effort in to the scenario design are threefold. First, the value of a penetration test is in its ability to help measure a system's response to real world attack inputs. Defining those techniques up front is critical to delivering that value. Second, any test should be repeatable. By defining and documenting the test, this makes follow-up tests much more consistent and the results directly related. Third, because penetration testing uses real attacks on real production systems, having a plan for success and failure conditions is critical to the safety of personnel and data alike.
To best simulate any real-world attack, a number of scenarios can be designed and chained together to be executed as one coordinated attack. For example, a denial of service attack can be coupled with physical intrusion to measure the ability of personnel to respond to physical threats while verification systems may be unavailable. Another example is to execute a social engineering attack as a component of a direct system intrusion, where information gathered by one activity is used to make the other more effective. The possibilities are endless, and can be crafted to your organization's exacting needs.