Penetration testing employs ethical hackers using real-world attack techniques to assess security posture, validate control effectiveness, and prioritize remediation efforts. Tests range from external network attacks to social engineering campaigns targeting employees or physical security assessments. Organizations typically conduct annual penetration tests to satisfy compliance requirements and after significant infrastructure changes. A penetration test might reveal that legacy systems lack patches for known vulnerabilities or that employees readily share credentials. Results provide actionable recommendations with business context about exploitability and potential impact, unlike automated vulnerability scans.