CIS Control 18: Penetration Testing

DEEP DIVE

Details penetration testing and offensive security assessments. Updating to establish a strong link to the main CIS Critical Security Controls v8 documentation.

Updated 4/12/2026cis, controls, penetration-testing, offensive-security, v8

Penetration testing simulates the objectives and actions of a real-world attacker to holistically evaluate the security of an organization's people, processes, and technology. As the final phase of defense validation within the CIS Critical Security Controls Version 8, Control 18 shifts the focus from theoretical vulnerabilities to practical exploitation.

While CIS Control 7: Continuous Vulnerability Management identifies potential flaws, penetration testing goes a step further by chaining vulnerabilities together to demonstrate actual business risk and potential impact.

Core Safeguards and Requirements

CIS Control 18 is broken down into five distinct safeguards. Note that penetration testing requires a baseline level of organizational maturity; therefore, these safeguards apply primarily to Implementation Groups 2 and 3 (IG2 and IG3).

18.1 Establish and Maintain a Penetration Testing Program

Organizations must formalize a penetration testing program tailored to their specific size, complexity, and maturity. A mature program document must explicitly define:

  • Scope limits: Identifying included and excluded environments across networks, web applications, APIs, hosted cloud services, and physical premise controls.
  • Logistical constraints: Establishing acceptable testing hours and specifically excluded attack types (e.g., avoiding destructive Denial of Service attacks).
  • Communication plans: Designating internal points of contact and outlining how findings will be routed for remediation.
  • Retrospective requirements: Ensuring lessons learned are formalized after every testing engagement.

18.2 Perform Periodic External Penetration Tests

External penetration tests assess an organization's internet-facing perimeter and must be conducted at least annually. To accurately mimic threat actors, these tests must include an enterprise and environmental reconnaissance phase to detect externally exploitable information (such as exposed credentials or misconfigured public buckets). Because this requires specialized skills, external tests must be conducted by a qualified third party.

18.3 Remediate Penetration Test Findings

Testing is only as valuable as the subsequent remediation effort. Organizations must systematically remediate findings based on pre-established enterprise policies that dictate remediation scope, timelines, and prioritization logic.

18.4 Validate Security Measures (IG3 Only)

Highly mature organizations must actively use penetration testing to tune their defensive capabilities. Following a test, security teams should review the attack paths and modify detection rulesets, web application firewalls, and monitoring capabilities to ensure that the specific techniques used by the testers will be detected in the future.

18.5 Perform Periodic Internal Penetration Tests (IG3 Only)

Internal tests assume an "assumed breach" scenario where the attacker already has a foothold within the corporate network. Required at least annually, internal testing maps out lateral movement paths, privilege escalation opportunities, and internal access control weaknesses.

Execution Strategies: Clear Box vs. Opaque Box

When scoping a test (both internal and external), organizations must determine the level of information provided to the testing team:

  • Clear box (White box): Testers are provided with comprehensive information about the target environment, including network diagrams, source code, or internal credentials. This method is highly efficient for thorough coverage and is closely related to CIS Control 16: Application Software Security.
  • Opaque box (Black box): Testers are given zero prior knowledge of the internal environment, mimicking a completely blind external attacker. This tests both the technical defenses and the organization's detection mechanisms.

Operational Security and Legal Considerations

Penetration testing introduces unique operational and legal risks. To ensure testing yields high-fidelity results without causing panic or compromising sensitive operations:

  • Need-to-Know Basis: Only a restricted list of stakeholders should know the exact schedule of an opaque box penetration test. This prevents the security operations center (SOC) from artificially raising their guard, allowing for a genuine test of CIS Control 17: Incident Response Management.
  • Emergency Points of Contact: A primary internal point of contact must be designated to act as a fail-safe. If testing inadvertently degrades production systems, this contact can immediately halt the engagement.
  • Legal Privilege: It is increasingly common practice to conduct penetration tests through third-party legal counsel. By routing the engagement through lawyers, the resulting penetration test report may be protected from public disclosure under attorney-client privilege.

Integration with the CIS Ecosystem

A successful penetration testing program relies heavily on the foundational CIS Controls. Testers cannot effectively scope an engagement without an accurate baseline from CIS Control 1: Inventory and Control of Enterprise Assets. Furthermore, the validation phase (18.4) serves as a direct stress test for CIS Control 13: Network Monitoring and Defense, proving whether the organization's SIEM and alerting rules actually catch malicious behavior in practice.

External Reference Frameworks

When planning security test management, methodologies, and reporting, teams should refer to standard industry frameworks. Prominent guidelines endorsed alongside this CIS Control include:

  • OWASP Penetration Testing Methodologies: The gold standard for web application and API testing.
  • PCI Security Standards Council Guidance: Essential reference material for organizations handling payment card data or strictly regulated environments.