Penetration testing involves ethically hacking systems to identify vulnerabilities. It is conducted annually or when systems change, using tools like Wireshark, Nmap, Metasploit, and John the Ripper. The process includes reconnaissance, threat modeling, exploitation, post-exploitation, and re-testing phases to measure security policy compliance, identify weak spots, prevent disasters, and help developers create secure apps.