Determining the likelihood that the specific system under evaluation could be compromised by an attacker with access to computers connected to the company's network. Investigation of whether or not an attacker could penetrate the system, without the company providing any more information than would naturally be available to legitimate users.