The first requirement of any penetration test is the mutal agreement for the rules of engagement, and an authorisation to be able to perform these tasks. Depending upon the level required, it can provide information to protect the organisation from certain attacks. It must be noted that any findings are only related to the current configuration, and implementation of the current software. This is why some companies will have penetration tests performed after a specific period has elasped, or there have been significant changes to the network topology, OS software or applications.

When implementated correctly it can also provide a good test and review of the IT personal and technology imployed to defend the organisation against any adversary. But it needs to be carried out in such a way that there is no or a minimal effect to actual day to day running of the business.