Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >SP 800-53
  3. >Assessment, Authorization, And Monitoring
  4. >SP800-53-CA-8
SP800-53-CA-8Active

Penetration Testing

Statement

Conduct penetration testing frequency on system(s) or system components.

Location

Control Family
Assessment, Authorization, and Monitoring

Control Details

Identifier
SP800-53-CA-8
Family
CA

Organisation-Defined Parameters

ca-08_odp.01
frequency
ca-08_odp.02
system(s) or system components

Supplemental Guidance

Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).

Organizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing.

Assessment Objective

penetration testing is conducted frequency on system(s) or system components.

ATTACK
ATTACK-T1021.001relatedvia ctid-attack-to-sp800-53
ATTACK-T1053relatedvia ctid-attack-to-sp800-53
ATTACK-T1053.002relatedvia ctid-attack-to-sp800-53
ATTACK-T1053.003relatedvia ctid-attack-to-sp800-53
ATTACK-T1053.005relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to Assessment, Authorization, and Monitoring
Assessment, Authorization, and Monitoring32 controls
SP800-53-CA-1Policy and ProceduresSP800-53-CA-2Control AssessmentsSP800-53-CA-2(1)Independent AssessorsSP800-53-CA-2(2)Specialized AssessmentsSP800-53-CA-2(3)Leveraging Results from External OrganizationsSP800-53-CA-3Information ExchangeSP800-53-CA-3(1)Unclassified National Security System ConnectionsSP800-53-CA-3(2)Classified National Security System ConnectionsSP800-53-CA-3(3)Unclassified Non-national Security System ConnectionsSP800-53-CA-3(4)Connections to Public NetworksSP800-53-CA-3(5)Restrictions on External System ConnectionsSP800-53-CA-3(6)Transfer AuthorizationsSP800-53-CA-3(7)Transitive Information ExchangesSP800-53-CA-4Security CertificationSP800-53-CA-5Plan of Action and MilestonesSP800-53-CA-5(1)Automation Support for Accuracy and CurrencySP800-53-CA-6AuthorizationSP800-53-CA-6(1)Joint Authorization — Intra-organizationSP800-53-CA-6(2)Joint Authorization — Inter-organizationSP800-53-CA-7Continuous MonitoringSP800-53-CA-7(1)Independent AssessmentSP800-53-CA-7(2)Types of AssessmentsSP800-53-CA-7(3)Trend AnalysesSP800-53-CA-7(4)Risk MonitoringSP800-53-CA-7(5)Consistency AnalysisSP800-53-CA-7(6)Automation Support for MonitoringSP800-53-CA-8Penetration TestingSP800-53-CA-8(1)Independent Penetration Testing Agent or TeamSP800-53-CA-8(2)Red Team ExercisesSP800-53-CA-8(3)Facility Penetration TestingSP800-53-CA-9Internal System ConnectionsSP800-53-CA-9(1)Compliance Checks