Imagine building a strong brick wall to defend against attack. Suppose one small segment of that wall is fragile because the builder failed to mix the cement properly. A visual inspection of the wall would not reveal this flaw. In fact, the wall may still work very well at deterring intruders, and the weak spot might go undetected for a long time.
But if a determined intruder arrives on the scene, they will try everything they can to get through, leading them to discover and exploit the weak spot. Penetration testing keeps this from happening by acting like the would-be intruder. A penetration test of the wall would involve someone trying just as hard as the intruder to break through, leading to timely discovery of the existing weak spot. The wall can then be repaired and reinforced before any bad actors show up.
Even with the best preventative security measures in place, it is possible to end up with vulnerabilities. The cause of these potential exploits may be software or hardware design flaws, problems with system configuration, poor password management, or a simple human error. The individuals involved in building a computer system or network may have the best intentions, but all it takes is one weak spot for a hacker to get in.
Penetration testing should be done regularly and include testing of all software and applications, including operating systems, hardware, network, processes, and even end-user behavior. For example, a penetration tester might send fake phishing emails to see if any employees are vulnerable to this type of attack.