Gartner Blog Network

Turning Penetration Testing Inside Out

by John Pescatore  |  August 3, 2011  |  3 Comments

Back in early late 1990’s and early 2000’s, penetration testing got a bad name. Mostly because there were a lot of  small security consulting firms sprouting up and offering penetration tests for $500 or less, and these pen tests weren’t all that much different than what more established firms had charging tens of thousands of dollars for. That caused conventional wisdom to basically dismiss pen testing just vulnerability scanning with good Powerpoint to scare management.

But back in 2006, I saw a rapidly increasing amount of Gartner clients getting hit by advanced, targeted attacks, and lead a research noted calls “Penetration Testing Augments Vulnerability Management to Deal With Changing Threats” saying:

Deeper penetration testing (also known as pen testing) is needed to augment existing vulnerability management processes, especially in light of the rising level of targeted attacks, but the technique must be applied in the appropriate situations.

Flash forward five years to today, and the continued growth of targeted threats (and the recent hype of Advanced Persistent Threats) has lead to a large increase in Gartner client calls around penetration testing. I go through a decision framework with Gartner clients (soon to be a Gartner Research Note) on contracting for pen testing, vs. doing it yourself and how to choose the best product or service provider.

One recommendation I added a few years ago, driven by the growth in botnet threat delivery mechanisms: make sure penetration testing includes what I call “inside-out” pen testing: having one of your internal PCs access a “captive” malicious site and see if the first stage dropper executable could get on, then see if the second stage (communicate to bot Command and Control sites) and third stage (payload delivery) succeeds. It is pretty scary how often this succeeds – which is why botnet delivery mechanisms are so prominent in advanced targeted threats.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research


John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Thoughts on Turning Penetration Testing Inside Out

  1. Sanju Pillai says:

    Well said John. Today, pen testing is something which is more demanded then ever before. People today have understood its importance. Those, who wants to read more about the steps involved in penetration testing, you can read the pdf at: This will give you an idea of why is pen test done and how exactly pen test happens.

  2. Krypsys says:

    Pentesting is a very good way of measuring the strength of your network security, where you can improve it and the consequences of being hacked

  3. user1337"> says:


Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.