This is where people deliberately try to gain access to your systems and data without authorization. They try to find the holes in your security so that you can patch them before a real threat actor gets in. These people might be working for you, or they might be consultants that you hire. They're generally interested in testing your actual technology systems, which is an important part of a strong defense. A step up from pen testing is the idea of red teams and red team operations against blue teams, which tends to be a more holistic activity. The red team role, often performed by trusted outside consultants, pretends to be an actual threat actor. Like a pen tester, they're trying to gain access to your systems. But unlike a pen tester, they'll try to use every dirty trick that the actual adversary would and proceed past your external boundary to have persistent post exploitation operation. This allows for your defense to be tested over a longer period of time and focus on achieving specific outcomes or actions on their objectives following the full lifecycle of an attack. The idea is to expose the holes wherever they may exist in your organization so that they can be fixed. They may try to use social engineering against the people in your company.