In software and systems development… scratch that. Whenever you make any complex device or system it’s best practice to test the parts, and then test the completed system. Testing the parts is often referred to as Unit Testing; the system, well, System testing.
For many reasons clients ask for penetration testing for some small unit or group. Typically they also have some set of rules (ROE) as well that further limit the testing. At this point this is getting awfully close to QA acceptance testing (here’s your test plan, stick to it).
So my question is, if vulnerability assessments are routine validation, and penetration tests are essentially Unit Tests of particular sections of the environment, where’s the System Test? Wait, scratch that too. The system test is the one you get for free; at least until the incident response team shows up.