Penetration testing preventive or detective control?

Question

I have always wondered if penetration testing is a preventive or detective control. My view is that it is both preventive (preventive as it scans for vulnerabilities, which can be fixed to prevent cyberattacks) and detective (detects any vulnerabilities found on a system). Correct me if I am wrong.

Answer 1

It is always preventative. Detective controls detect an intrusion in progress. A penetration test is not an intrusion as it is an intended and approved use of the system, even if the use is simulating a breach. It is a preventative measure to keep actual attacks from occurring by finding holes that need to be fixed.

The argument could possibly be made that they are also corrective if you characterized it as an attack, since the intent is to make corrections to the system, but I think this is a weak characterization as the entire point of the activity is to prevent a real attack in the first place, thus preventing the attack.

Answer 2

To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:

-Before the event, preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders;
-During the event, detective controls are intended to identify and characterize an incident in progress e.g. by sounding the intruder alarm and alerting the security guards or police;
-After the event, corrective controls are intended to limit the extent of any damage caused by the incident e.g. by recovering the organization to normal working status as efficiently as possible.

I found this short explanation of these processes on wikipedia. If we are to consider the definitions above correct, then pen testing should I theory happen before an event. This would make it fall under preventive controls.

Edit: My personal view is that pen test is there to prevent an intrusion by making sure the "doors and the windows" are locked. It doesn't find an attack/attacker, it just finds a path some might use to attack you/your company.