Penetration Testing

Penetration Testing, or Pentesting, is the authorized simulation of cyberattacks on systems, networks, or applications to identify and fix vulnerabilities before real attackers exploit them.

What is Penetration Testing?

Penetration Testing is a planned and authorized attack carried out by cybersecurity professionals (ethical hackers) to test the security of:

Web applications

Networks

Operating systems

APIs

Devices (IoT, mobile)

Cloud infrastructure

Human behavior (social engineering)

Unlike vulnerability scanning, pentesting doesn’t just find weaknesses, it actively exploits them to see the real-world risk.

Key Objectives of Pentesting

1. Identify known and unknown vulnerabilities

2. Test defenses and response mechanisms

3. Simulate real-world attacks

4. Evaluate potential business impact

5. Ensure compliance with regulations

6. Help in risk management decisions

Mindset of a Penetration Tester

“Think like a hacker, act like a professional.”

A skilled pentester mimics real-world attack strategies:

Social engineering

Exploiting software bugs

Privilege escalation

Lateral movement

Data exfiltration

Types of Penetration Testing

1) Black Box Penetration Testing

What it is: Tester has no prior knowledge of the target environment.
Goal: Simulates an outsider’s attack.
Use cases: Assess real-world attack scenarios from unknown external threats.
Advantages: Mimics true hacker behavior; uncovers vulnerabilities visible to the public.
Limitations: May miss deeper vulnerabilities requiring insider knowledge.

2) White Box Penetration Testing

What it is: Tester has full access to information like source code, network diagrams, credentials.
Goal: Identify vulnerabilities from an insider perspective.
Use cases: Code reviews, architecture analysis, comprehensive security evaluations.
Advantages: Deeper analysis; more thorough assessment.
Limitations: Less realistic for simulating external attackers.

3) Grey Box Penetration Testing

What it is: Tester has limited information—more than black box, less than white box.
Goal: Simulate an attack from a semi-trusted insider or compromised account.
Use cases: Insider threats, phishing attack simulations.
Advantages: Balance of realism and depth.
Limitations: Might overlook issues requiring either complete ignorance or full knowledge.

4) External Penetration Testing

What it is: Focuses on assets exposed to the internet (e.g., websites, VPN gateways).
Goal: Assess perimeter defenses.
Use cases: Validate firewall, web servers, DNS security.
Advantages: Protects against attacks from outside your network.

5) Internal Penetration Testing

What it is: Tester operates inside the network, assuming attacker has internal access.
Goal: Simulate a compromised insider or an attacker who breached external defenses.
Use cases: Insider threat assessments, lateral movement detection.
Advantages: Identifies risks from within, like poor segmentation or privilege escalation.

6) Web Application Penetration Testing

What it is: Targets web applications specifically—both client and server side.
Goal: Uncover OWASP vulnerabilities (e.g., XSS, SQLi) and logic flaws.
Use cases: Websites, portals, SaaS products.
Advantages: Focused on the most targeted attack surface.

7) Wireless Penetration Testing

What it is: Evaluates wireless networks’ security—Wi-Fi, Bluetooth, Zigbee.
Goal: Find insecure protocols, weak encryption, unauthorized devices.
Use cases: Offices, campuses, IoT-heavy environments.
Advantages: Prevents wireless eavesdropping, rogue APs, MiTM attacks.

8) Social Engineering Penetration Testing

What it is: Tests human element—phishing, pretexting, baiting, tailgating.
Goal: Evaluate employee awareness and response.
Use cases: Security awareness programs, compliance requirements.
Advantages: Addresses weakest link: people.

9) Physical Penetration Testing

What it is: Tests physical security controls—locks, badges, security guards, cameras.
Goal: Assess the ability of intruders to physically access sensitive areas.
Use cases: Data centers, corporate offices, secure facilities.
Advantages: Ensures physical barriers complement digital security.

10) Cloud Penetration Testing

What it is: Focused on cloud environments—AWS, Azure, GCP.
Goal: Identify misconfigurations, insecure APIs, overprivileged accounts.
Use cases: SaaS, PaaS, IaaS infrastructures.
Advantages: Addresses shared responsibility model in cloud security.

11) Mobile Penetration Testing

What it is: Evaluates mobile apps (Android, iOS) and device security.
Goal: Identify flaws like insecure data storage, improper platform usage, weak encryption.
Use cases: Banking apps, healthcare apps, consumer products.
Advantages: Ensures mobile platforms meet security standards.

12) IoT Penetration Testing

What it is: Tests security of connected devices—smart locks, wearables, industrial sensors.
Goal: Identify firmware vulnerabilities, insecure communication, weak authentication.
Use cases: Smart homes, factories, connected cars.
Advantages: Reduces risks in rapidly expanding IoT landscape.

13) API Penetration Testing

What it is: Targets Application Programming Interfaces (REST, SOAP, GraphQL).
Goal: Uncover improper authentication, data leaks, injection flaws.
Use cases: Apps exposing APIs to clients, B2B services.
Advantages: APIs are high-value targets; testing ensures secure integrations.

14) SCADA / ICS Penetration Testing

What it is: Focuses on Supervisory Control and Data Acquisition (SCADA) or Industrial Control Systems (ICS).
Goal: Identify vulnerabilities in industrial protocols, devices, and networks.
Use cases: Power plants, manufacturing, critical infrastructure.
Advantages: Prevents disruptions in industries with massive impact potential.

15) Red Team / Adversary Simulation

What it is: Comprehensive, goal-oriented tests mimicking advanced threat actors.
Goal: Test detection and response capabilities of people, processes, and technology.
Use cases: Organizations with mature security; want realistic assessment.
Advantages: End-to-end security validation.

Pentesting Methodology :

1) Pre-engagement and Planning

**Objectives:**

Define the scope: which systems, networks, apps, IP ranges, or facilities are included.
Establish goals: compliance checks, vulnerability discovery, exploit validation, etc.
Set rules of engagement (ROE): allowed attack techniques, timeframes, escalation contacts.
Identify stakeholders: point of contact, incident response team, legal advisors.

Deliverables:
Signed contracts, non-disclosure agreements (NDAs).
Scope document detailing boundaries.
Risk acceptance and legal authorization.

Importance: Without a clear agreement, pentesting can cause legal issues or operational disruptions.

2) Information Gathering (Reconnaissance)

Active Reconnaissance: Direct interaction with targets to collect info—ping sweeps, banner grabbing, DNS queries.

Passive Reconnaissance: No direct engagement—collecting OSINT from public sources, job postings, social media, Shodan, WHOIS records.

Goals:

Map the attack surface.
Identify live hosts, services, versions.
Build a profile of the target organization.

Importance: The better the reconnaissance, the more accurate and efficient the attack plan.

3) Threat Modeling & Vulnerability Identification

Threat Modeling: Prioritizing assets, potential threats, and attacker profiles. For example, identifying critical data or systems and how attackers could reach them.

Vulnerability Scanning:

Automated tools (Nessus, OpenVAS, Qualys) to scan for known CVEs.
Manual analysis to catch business logic flaws, misconfigurations, or vulnerabilities scanners miss.

Goals:
Identify and validate vulnerabilities.
Correlate vulnerabilities with attack vectors.

Importance: This phase provides a roadmap for exploitation and reduces guesswork.

4) Exploitation

**What happens**:

Use vulnerabilities identified in the previous phase to gain unauthorized access.
Custom exploits or tools like Metasploit, SQLMap, or manual techniques.
Bypass controls like authentication, input validation, or privilege restrictions.

Rules: Must avoid unnecessary damage, data loss, or downtime (per rules of engagement).

Importance: Exploitation shows practical risk—not just theoretical vulnerabilities.

5) Post-Exploitation

**Goals**:

Determine the value of the compromised system.
Maintain access (if allowed) for further exploration (persistence).
Explore internal lateral movement opportunities.
Assess data exposure, privilege escalation possibilities.

Activities:
Extract sensitive information (passwords, PII, intellectual property).
Document pathways used to compromise systems.

Importance: Helps quantify business impact if an attacker were to succeed.

6) Reporting

Contents:

Executive summary: non-technical overview for stakeholders.
Technical details: vulnerabilities, exploits, affected assets.
Proof of concept (PoC): screenshots, logs, or videos proving exploitation.
Risk ratings: prioritize issues based on CVSS, business impact, or customized criteria.
Recommendations: actionable mitigation strategies.

Goals:
Provide clear, concise, prioritized findings.
Enable remediation by IT and security teams.

Importance: The report is the key deliverable—it justifies the pentest and drives security improvements.

7) Remediation Verification (Retesting)

What it is:

After fixes are applied, pentesters validate whether vulnerabilities were correctly patched or mitigated.

Goals:
Ensure security gaps are closed.
Update documentation and risk assessments.

Importance: Without retesting, organizations can’t be sure vulnerabilities are resolved.

Supporting Elements Throughout Methodology

Continuous Documentation:

Record each step, tools used, and findings.
Supports accurate reporting and repeatability.

Adherence to Standards:
Follow guidelines like OWASP Testing Guide, NIST SP 800-115, PTES (Penetration Testing Execution Standard), or OSSTMM.
Ensures thorough, professional, and ethical testing.

Communication:
Regular check-ins with stakeholders, especially if critical vulnerabilities or live incidents are discovered.

Why a Methodology Matters

Ensures consistency across engagements.
Provides a defensible, repeatable approach.
Reduces risk of missed vulnerabilities.
Aligns testing to business objectives and compliance requirements.

Common Pentesting Tools by Phase

1. Reconnaissance Tools

Reconnaissance is about gathering as much information as possible about the target, either passively (without touching it) or actively (with limited interaction).

➤ theHarvester

This tool gathers emails, subdomains, hosts, and employee names from public sources like Google, Bing, and LinkedIn. It’s often the first OSINT tool used in external recon.

➤ Shodan

Shodan is a search engine for discovering internet-connected devices. You can find webcams, servers, routers, and even exposed SCADA systems by filtering IP ranges, open ports, and banner info.

➤ Maltego

A powerful visualization and OSINT tool. It maps relationships between entities like domains, people, and email addresses, often producing mind-map-style diagrams useful in social engineering phases.

➤ Recon-ng

A full-featured reconnaissance framework written in Python. It mimics the look and feel of Metasploit but focuses on automated OSINT data collection, making it ideal for modular passive recon.

➤ Google Dorking

This is not a tool but a technique using advanced Google queries to uncover misconfigured websites, login pages, or documents exposed by accident.

➤ Nmap (for active recon)

While primarily used for scanning, Nmap is often used in recon to discover live hosts, open ports, and the services running on a network.

2. Scanning & Enumeration Tools

After identifying the target, this phase focuses on detailed information collection like user names, shares, directories, and vulnerabilities.

➤ Nmap

The go-to tool for port scanning, service discovery, and OS detection. With scripting capabilities (NSE), it can also perform banner grabbing, brute force, and vulnerability detection.

➤ Nessus

A commercial vulnerability scanner used to identify weaknesses like outdated software, default credentials, and misconfigurations. It provides rich reports and CVSS scores for each issue.

➤ OpenVAS

An open-source vulnerability scanner. It provides a broad set of checks similar to Nessus, with a frequently updated feed of CVEs.

➤ Nikto

A web server scanner that checks for over 6,700 potentially dangerous files, outdated server software, and insecure server configurations. It’s great for quick web server recon.

➤ DirBuster / Gobuster

These tools brute-force directories and files on web servers. Very effective for discovering hidden admin panels or configuration files not indexed by search engines.

➤ Enum4linux

Great for gathering information from Windows systems via SMB. It can reveal usernames, password policies, and shares if anonymous access is enabled.

➤ WhatWeb / Wappalyzer

These fingerprint the technologies used in web applications (like CMS, web servers, programming languages, JS libraries) — critical for planning exploitation paths.

3. Exploitation Tools

This phase is about gaining access to the system through discovered vulnerabilities or misconfigurations.

➤ Metasploit Framework

The most powerful exploitation framework available. With thousands of exploits, payloads, and post modules, it’s essential for almost every pentester. It streamlines the process of launching attacks, managing sessions, and automating tasks.

➤ MSFvenom

Used for creating custom shellcode and payloads to inject into vulnerable applications. Often used alongside Metasploit to create malicious files or reverse shells.

➤ SQLmap

Automates the process of detecting and exploiting SQL injection vulnerabilities. It can enumerate databases, dump data, and even spawn shells on vulnerable systems.

➤ Hydra

A fast and versatile brute-force tool used for testing login credentials on services like FTP, SSH, HTTP, and more. Useful for password attacks across various protocols.

➤ John the Ripper

A password cracking tool that can process password hashes and test them against dictionaries or use brute-force techniques. Works with many hash formats.

➤ Responder

A powerful tool for poisoning LLMNR/NBT-NS requests on local networks. It captures NTLMv2 hashes and can be used for credential relaying or offline cracking.

➤ Empire

A post-exploitation framework that uses PowerShell agents to control compromised Windows systems. Often used for persistence and privilege escalation.

4. Post-Exploitation Tools

Once you’ve gained access, post-exploitation is about maintaining access, escalating privileges, and exploring sensitive information.

➤ Mimikatz

A legendary tool for Windows post-exploitation. It can dump plaintext passwords, NTLM hashes, Kerberos tickets, and perform pass-the-hash or golden ticket attacks.

➤ PowerView

A PowerShell-based tool used for mapping out Active Directory environments. It helps find relationships between users, computers, and permissions — useful for lateral movement.

➤ BloodHound

A graph-based tool to visualize privilege escalation paths within an Active Directory environment. Combined with SharpHound (its data collector), it’s essential for red teaming.

➤ Netcat

A simple but powerful tool for establishing reverse shells, file transfers, and port listening. Often used for backdoors or pivoting.

➤ CrackMapExec (CME)

Combines multiple functionalities: password spraying, command execution, and enumeration in Windows networks. A favorite among pentesters for lateral movement.

➤ Meterpreter

Metasploit’s dynamic payload that allows for running scripts, keystroke logging, file transfers, and command execution without dropping binaries on disk

5. Reporting Tools

The most overlooked yet vital part of pentesting is reporting — conveying findings clearly.

➤ Dradis

A collaboration and reporting platform that integrates with tools like Metasploit, Nessus, and Burp Suite. It helps you centralize and organize findings with screenshots, logs, and CVE data.

➤ Faraday

An integrated pentest environment that consolidates findings and tracks vulnerabilities across large engagements. It supports multiple users and integrates with tools like Nmap, Burp, and OpenVAS.

➤ Serpico

A report generation tool with custom templates and vulnerability libraries. Useful for producing client-ready reports with consistent formatting.

➤ CherryTree

A hierarchical note-taking app, ideal for organizing manual findings, logs, scripts, and steps during engagements. Supports rich text and encryption.

6. Retesting Tools

Retesting is the validation phase where fixed vulnerabilities are tested again.

➤ Burp Suite

After patching a web vulnerability, Burp can be used to re-run the exploit manually and validate if the issue has been resolved.

➤ Nmap (with NSE scripts)

With its scripting engine, Nmap can verify specific patches or configurations (e.g., SMBv1 disabled, SSL certs fixed).

➤ Nessus / OpenVAS

Delta scans can be run after fixes to compare with previous results and confirm the absence of prior vulnerabilities.

Legal & Ethical Considerations

Pentesting must follow:

Written and signed authorization (Rules of Engagement)

Defined scope, timeframe, and targets

Full confidentiality

Compliance with laws (e.g., GDPR, HIPAA, PCI DSS)

Never perform unauthorized testing — it is illegal and unethical.

Benefits of Penetration Testing

Proactively identifies security gaps

Reduces attack surface

Helps meet compliance

Builds customer trust

Strengthens incident response

Enhances security awareness

Real-World Example

1. Reconnaissance Phase

Case: Email Harvesting for Social Engineering – theHarvester

In a real-world red team assessment for a financial institution, testers used theHarvester to scrape emails from public sources (Google, LinkedIn). These emails were later used in a phishing campaign to assess employee awareness and simulate attacker behavior. Several users clicked malicious links — proving the effectiveness of early reconnaissance.

Case: Discovering Exposed Cameras – Shodan

A security audit for a smart city infrastructure in Europe revealed that Shodan indexed thousands of unsecured traffic cameras. Some had default credentials (admin/admin), giving full access to attackers. This helped city authorities recognize risks in IoT deployment.

Case: Corporate Mapping – Maltego

A cybersecurity firm used Maltego to map out the digital footprint of a client’s HR department. They uncovered connections between employees, email addresses, and phone numbers — enough information to simulate a targeted social engineering attack (CEO impersonation).

2. Scanning & Enumeration Phase

Case: Identifying Vulnerable Web Server – Nikto

A pentester scanning a hospital’s intranet found a vulnerable Apache web server using Nikto, which flagged a known file inclusion flaw. The vulnerability was later used in exploitation to gain access to internal patient management systems.

Case: Internal Network Weakness – Nmap & Enum4linux

During an internal assessment of a university, Nmap identified a Windows server with SMB open. Enum4linux was then used to enumerate users and shared folders, uncovering sensitive student data and outdated credentials — leading to major remediation.

Case: Hidden Admin Panel – Gobuster

A web application for an e-commerce site had no visible admin panel on its main page. Gobuster was used to brute-force directories and discovered /admin_secret/, which had no login rate limiting and weak credentials. This resulted in full site compromise.

3. Exploitation Phase

Case: Gaining Shell via SQL Injection – SQLmap

In a bug bounty scenario, a researcher found a SQL injection in a product filtering page. Using SQLmap, they not only extracted the database but also uploaded a PHP reverse shell, gaining server-level access and winning a high-tier bounty.

Case: Exploiting EternalBlue – Metasploit

A pentester in a corporate network discovered a machine running an outdated Windows OS vulnerable to MS17-010 (EternalBlue). Using Metasploit, they exploited the flaw and deployed a Meterpreter shell, moving laterally to compromise domain controllers.

Case: Password Spray on SSH – Hydra

A fintech firm authorized a red team engagement where Hydra was used to perform a controlled password spray on SSH services. Multiple users were using Winter2024! as a password — revealing weak password policies and leading to a full access escalation plan.

4. Post-Exploitation Phase

Case: Dumping Domain Admin Hashes – Mimikatz

After gaining local admin access on a Windows server, Mimikatz was used to extract NTLM hashes, one of which belonged to a domain admin. The hash was then used in a pass-the-hash attack to take control of the entire Active Directory environment.

Case: Mapping AD Attack Paths – BloodHound

A pentester for a manufacturing firm used BloodHound to analyze AD permissions. It uncovered a low-privilege account that could escalate through a chain of misconfigured GPO permissions — a “shortest path to DA” route that had gone unnoticed for years.

Case: Backdooring a Machine – Netcat

During a controlled red team assessment, after exploiting a vulnerability in a public FTP server, the tester used Netcat to spawn a reverse shell, allowing continued access. This backdoor was used to simulate data exfiltration from internal file servers.

5. Reporting Phase

Case: Client-Facing PDF with Dradis

In a government assessment engagement, pentesters used Dradis to generate detailed findings with CVSS scores, screenshots, logs, and remediation advice. The structured and organized reporting helped stakeholders easily understand and prioritize vulnerabilities.

Case: Collaborating in Real Time – Faraday

A large financial institution’s engagement required 3 pentesters working across locations. Faraday allowed them to share findings in real time, cross-reference vulnerability scans, and keep synchronized records — drastically improving productivity and reducing redundancy.

6. Retesting (Validation) Phase

Case: Validating Fixes for Critical Web Vulns – Burp Suite

After the dev team fixed a critical XSS and SQLi vulnerability, the pentester used Burp Suite to replicate the exact requests and test the fixes. Burp’s repeater and intruder functions confirmed input sanitization was properly implemented.

Case: Re-Scanning with OpenVAS

In a telecom company’s follow-up audit, OpenVAS was used to rerun the full internal scan. The results showed previously flagged high-severity vulnerabilities were no longer present, giving the green light for compliance clearance.

Who Performs Pentesting?

In-house security teams

Independent consultants

Security firms

Bug bounty researchers

Certifications to become a pentester:

1. CEH – Certified Ethical Hacker (by EC-Council)

Overview: CEH is one of the most popular entry-level certifications for those beginning in ethical hacking and penetration testing.

What it Covers:

Reconnaissance, scanning, enumeration
System hacking, Trojans, backdoors, viruses, worms
Web server and application attacks
SQL injection, session hijacking
Cloud, IoT, and wireless hacking
Social engineering techniques

Why it’s Important:
It gives a broad foundation of ethical hacking concepts
Recognized by companies and governments worldwide
Good for beginners transitioning from IT or networking to security

Exam Details:
Multiple-choice questions (125 questions in 4 hours)
Practical CEH (CEH Practical) also available for hands-on validation

2. OSCP – Offensive Security Certified Professional (by Offensive Security)

Overview: The OSCP is a gold standard in the pentesting world and focuses heavily on hands-on, real-world scenarios.

What it Covers:

Advanced exploitation
Buffer overflow, privilege escalation
Post-exploitation and pivoting
Writing custom scripts (mostly in Python/Bash)
Active Directory and Windows attacks
Manual hacking methodology (no automated tools)

Why it’s Important:
Highly respected by employers
Demonstrates real technical skill and discipline
Considered a “rite of passage” for serious pentesters

Exam Details:
24-hour hands-on exam
Must hack multiple machines and write a detailed report

3. eCPPT – eLearnSecurity Certified Professional Penetration Tester (by INE/eLearnSecurity)

Overview: The eCPPT is a mid-level certification that blends theory with hands-on pentesting labs. It is designed to test your real-world penetration testing workflow.

What it Covers:

Network pentesting (internal/external)
Web application attacks
Wi-Fi and mobile testing
Reporting and communication
Advanced post-exploitation

Why it’s Important:
Fully practical, self-paced
No strict time-limited exam like OSCP
Good for learners who want deep understanding + flexibility

Exam Details:
Perform a pentest on a virtual lab environment
Submit a detailed professional report

4. GPEN – GIAC Penetration Tester (by SANS/GIAC)

Overview: GPEN is a certification based on the SANS SEC560 course, focusing on standard penetration testing techniques.

What it Covers:

Reconnaissance and scanning
Exploitation and privilege escalation
Password attacks and post-exploitation
Penetration testing methodology
Legal and ethical considerations

Why it’s Important:
Comes from SANS, a highly prestigious training provider
Focuses on both practical and theoretical aspects
Trusted by government and defense agencies

Exam Details:
82 multiple-choice questions in 3 hours
Open-book exam

5. GWAPT – GIAC Web Application Penetration Tester

Overview: GWAPT is specialized for web application security testing, derived from the SANS SEC542 course.

What it Covers:

Cross-site scripting (XSS)
SQL injection
CSRF, SSRF, XXE, and web logic flaws
Authentication bypass
Web app testing methodology

Why it’s Important:
Highly valued for web pentesters
Helps you focus on OWASP Top 10 and beyond
Often used for red team engagements on web apps

Exam Details:
75 multiple-choice questions
2 hours, open book

6. CRTP – Certified Red Team Professional (by Pentester Academy)

Overview: CRTP is focused on Active Directory exploitation and internal infrastructure attacks.

What it Covers:

Enumeration of users, groups, and policies in AD
Kerberoasting, Pass-the-Hash, AS-REP roasting
Privilege escalation in Windows environments
Lateral movement using built-in tools (no Metasploit)

Why it’s Important:
Excellent for pentesters working in corporate/internal environments
Bridges the gap between general pentesting and red teaming
Highly respected among Windows-focused pentesters

Exam Details:
24-hour hands-on lab
Must compromise a Windows domain and submit a report

7. CPT – Certified Penetration Tester (by IACRB)

Overview: The CPT offers foundational training in ethical hacking and penetration testing practices.

What it Covers:

Network scanning and exploitation
Web application attacks
Wireless network testing
Malware and Trojans
Report writing and client engagement

Why it’s Important:
Focuses on a broader range of real-life attack vectors
Good entry-level option with practical and written components
Recognized in many private cybersecurity firms

Exam Details:
Two parts: written exam and hands-on lab

8. CompTIA PenTest+

Overview: PenTest+ is a vendor-neutral certification suitable for mid-level security professionals.

What it Covers:

Planning and scoping a pentest
Reconnaissance and vulnerability scanning
Exploitation and reporting
Scripting and tool usage

Why it’s Important:
Good for IT professionals transitioning to offensive security
Includes soft skills and legal compliance topics
Well-rounded and entry-accessible

Exam Details:
85 questions (multiple choice + performance-based)
165 minutes exam duration

Bonus: CREST Certifications

Overview: CREST provides certifications that are recognized internationally, especially in the UK and Europe, and are often required for government/regulated sectors.

Levels Available:

Practitioner Security Analyst (CPSA)
Registered Penetration Tester (CRT)
Certified Infrastructure Tester (CCT INF)
Certified Web Application Tester (CCT APP)

Why it’s Important:
Highly regulated and deeply respected
Required for government-level red teaming
Includes rigorous hands-on testing