An authorized, scoped attempt to find and exploit security weaknesses in a system, network, or application to validate defensive controls.