In this module we take a deeper dive into penetration testing. We begin by pointing out that since vulnerability assessments and pen testing can be disruptive, certain precautions and administrative steps must be undertaken prior to testing. This requires alerting senior management and getting their sign off. In addition, it is vital that policies and procedures set forth by the organization be understood and followed and that well-defined goals for the testing be identified and tracked. We underscore the scope of the tester's responsibilities during testing. A tester's mandate is to determine if a system can withstand an attack. The tester tests and documents. Testers are not responsible for resolving any vulnerability issues they discover! This falls under the important security principle of the separation of duties. A successful pen tester must not only be knowledgeable about technology, but must also be creative. The tester must think like an attacker. This is a case where it's OK to break the rules! Crafty tactics such as social engineering and sniffing out the path of least resistance are key to being an effective pen tester. We offer a final word of advice to aspiring pen testers: don't overlook small weaknesses as these can often lead to big failures!