Threat reproduction is a critical component of quality security testing services. The best way to determine how effective a particular defense is, is to expose the defense to a real threat. Testing at less than realistic levels of threat will produce passing, but false results.
Penetration Testing is used to test the effectiveness of a bulletproof vest before the vest go into production manufacturing. Penetration Testing works by placing the vest on a dummy and firing live rounds at the vest. If a single bullet manages to penetrate the vest then the vest has failed the test. If no bullets penetrate the vest then the test is a success. It is critically important that the vest is tested at a level of threat that is at least equal to what is likely to be encountered in the field. If the vest is tested at less than realistic threat levels then vest will likely be ineffective in the field.
The IT Security industry should follow the same high-threat philosophy, but it usually doesn’t. The average Network Penetration Test is driven by automated scanners whose output is then passed to a team of engineers. The engineers vet, validate or verify the results and produce a final customer deliverable. This type of automation-dependent testing is usually (but not always) low threat. This is akin to testing a bulletproof vest with a bb gun instead of