Penetration Testing simulates attackers attempting to circumvent security controls in order to gain unauthorized access to systems.
Penetration Testing is to find as many vulnerabilities and configuration issues as possible in the time allotted, and exploiting those vulnerabilities to determine the risk of the vulnerability. This does not necessarily mean uncovering new vulnerabilities (zero days), it’s more often looking for known, un-patched vulnerabilities
For organizations with mature security programs, “Red Team Assessments” is also recommended. Unlike Penetration Testing, the goal of the Red Team Assessment is not to find as many vulnerabilities as possible, but to test the organization’s detection and response capabilities (the Blue Team) during the attack.
In order to get the job done, the Red Teamer is free to use any additional techniques such as Social Engineering, Phishing, Lock Picking, Custom Malwares, etc. Essentially, they are perfectly positioned to replicate what a highly capable and determined real-world attacker would do, but in a manner that is both controlled and sanctioned.
In oder world, the red team will try to get in and access sensitive information in any way possible, as quietly as possible.