As someone who scopes out and performs penetration tests for a living, I always begin by asking clients: “What should we be trying to accomplish during this test?” All too often, I’m given a very short list of IP addresses and the answer is something along the lines of: “Just tell us if you can get into this network.” This is a very short-sighted approach for a something as powerful as a penetration test because the reality is that a skilled penetration tester will almost always be able to find some way into a network, so the fact that he or she can do so doesn’t give us much useful information.
Ideally a penetration test should simulate a real world attack; in the real world, the attacker will always have some objective beyond “get into the network.” They may be trying to steal credit card numbers that they can use for fraud, a password to wire money out of their target’s bank account, or valuable data they can encrypt and hold for ransom. Perhaps they’re not interested in financial gain but instead are a state-sponsored attacker more interested in eavesdropping on their target’s users, or hacktivists whose goal is to damage their target by leaking embarrassing emails and knocking systems offline.