Complete the sentences by filling in the blanks. Each correct answer earns points!
is security testing where testers mimic real-world attacks to identify methods to circumvent security features under agreed rules of engagement.
Context: Core definition of penetration testing
identifies, assesses, and ranks vulnerabilities (often via automated broad port scanning) and differs from penetration testingās exploitation-focused approach.
Context: Penetration testing vs vulnerability assessment
Penetration testing as a concept is real-world attack simulation.
Context: Meaning of controlled simulation
FIs determine penetration testing frequency using testing cadence based on system and cyber risk exposure.
Context: Cadence drivers (criticality and exposure)
Good practice states that FIs should test systems directly accessible from the internet at least once every .
Context: Annual cadence requirement for internet-exposed systems
Systems undergoing major changes or updates causes FIs to perform penetration testing changes.
Context: Causeāeffect trigger for testing after changes
Blackbox testing provides no internal knowledge, which causes test realism to be high but may leave internal or post-authenticated pages .
Context: Causeāeffect outcome of blackbox limitations
Greybox testing provides limited information (for example, credentials), which causes testing to become more and enables deeper exploitation attempts.
Context: Causeāeffect benefit of greybox testing
Whitebox testing provides architecture documentation and source code, which causes potential vulnerability capture to compared with blackbox or greybox.
Context: Causeāeffect impact of whitebox access
Penetration testing phases run from planning through discovery, attack, reporting, and to validate fixes.
Context: Lifecycle phase meaning (retest)
In the penetration testing lifecycle, defines rules of engagement and scope before discovery and attack.
Context: Phase ordering and purpose
Blackbox, greybox, and whitebox are of penetration testing.
Context: Terminology for access-based testing approaches
Different penetration test map to target technologies such as networks, web apps, mobile apps, and APIs.
Context: Meaning of penetration test types
CVE is a dictionary of publicly known vulnerabilities and exposures with common identifiers for product data exchange; CVSS is a standardized method for rating IT .
Context: Correct pairing of CVE vs CVSS meanings
CWE is a formal list of common software weaknesses that can lead to exploitable vulnerabilities; CAPEC maps common patterns that exploit CWEs.
Context: Meaning of CAPEC as attack patterns exploiting CWEs