A penetration test serves to identify all possible threats to a system. First of all, all important resources, which could become the target of an attack and possible side effects of an attack are recorded. Once the defence objectives have been defined, it is determined how an attacker can gain access to the resources to be protected and/or control over the system and how an attacker can cause undesired behaviour of the system. For this purpose the system is analysed and possible threats are assessed and categorised. Tests are carried out on the basis of the threats found.
During these tests it is important to look at different attacker models, not only to find out what possibilities an attacker has, but also to determine how likely an attack is. In the course of these tests new threats that were not previously considered can also be identified. After the evaluation of this data, protective measures can be planned and implemented.