Document Type

Conference Proceeding


Association of Digital Forensics, Security and Law


Faculty of Health, Engineering and Science


ECU Security Research Institute




Valli, C. , Woodward, A. J., Hannay, P. , & Johnstone, M. N. (2014). Why penetration testing is a limited use choice for sound cyber security practice. Proceedings of Conference on Digital Forensics, Security and Law. (pp. 35-40). Richmond, Virginia. Association of Digital Forensics, Security and Law. Available here


Penetration testing of networks is a process that is overused when demonstrating or evaluating the cyber security posture of an organisation. Most penetration testing is not aligned with the actual intent of the testing, but rather is driven by a management directive of wanting to be seen to be addressing the issue of cyber security. The use of penetration testing is commonly a reaction to an adverse audit outcome or as a result of being penetrated in the first place. Penetration testing used in this fashion delivers little or no value to the organisation being tested for a number of reasons. First, a test is only as good as the tools, the tester and the methodology being applied. Second, the results are largely temporal. That is, the test will likely only find known vulnerabilities that exist at one specific point in time and not larger longitudinal flaws with the cyber security of an organisation, one such flaw commonly being governance. Finally, in many cases, one has to question what the point is in breaking the already broken. Penetration testing has its place when used judiciously and as part of an overall review and audit of cyber security. It can be an invaluable tool to assess the ability of a system to survive a sustained attack if properly scoped and deployed. However, it is our assessment and judgement that this rarely occurs.

Creative Commons License

Creative Commons Attribution 4.0 License
This work is licensed under a Creative Commons Attribution 4.0 License.