Most data-driven modern enterprises have gone to great technical and monetary lengths to create a semblance of security for the physical and logical systems and assets. Short of disconnecting the WAN Internet connection and building an impenetrable fortress around every corporate system, there will likely always be vulnerabilities and exploits those malicious actors can and will exercise. It is our job, as information security managers, to identify and mitigate system vulnerabilities in such a way that the business processes can continue to operate, and data remains safe and secure. One viable method for system and resource access is through a “back-door attack” that utilizes a “known or newly discovered” exploit to gain unauthorized access through nonconventional means (Whitman & Mattord, 2019 ,p.98-99) This threat vector can be the result of a software or hardware vulnerability or from a virus or malware program running on a system or device within the network. This type of attack can lead to many negative consequences for the enterprise, including data loss, system damage, unauthorized user privilege escalation, and potential harm to workers or communities.

To address issues with backdoor, virus, and malware vulnerabilities, many IT professionals are turning to in-house or 3^rd party teams of testers that attempt to penetrate the enterprise security system by using tools and techniques designed to identify and execute system exploits. Pen testers and ethical hackers, as they are known within the industry, seek to exploit vulnerabilities under controlled circumstances in a professional and safe manner, based on the predefined scope and set of operating rules (Orchilles, 2020). The documented success and failure of these teams in performing exploits on the targeted systems gives IT managers and security practitioners valuable information and insight on how to close holes in the system perimeter and mitigate threats through detection and avoidance. 

Would it be more advantageous for intercompany personnel to perform penetration testing on company-owned assets, or would 3^rd party (external) pen-testing be more productive?

References:

Orchilles, J. (2020). Ethical Hacking from Vulnerability Scanning to Adversary Emulation. ISSA Journal, 18(6), 20–25.

Whitman, M. E., & Mattord, H. J. (2019). Principles of Information Security (6th ed.). Cengage.