Penetration tests are complex, time consuming, resource intensive, and expensive; all attributes that tend to turn away executive sponsors and other business stakeholders. On the other hand, there is no better way for an organization to gain an understanding of their true cyber-business risk than through a series of well thought out, meticulously planned, and carefully controlled penetration testing and ethical hacking engagements. Given the previously mentioned undesirable attributes, however, how does one ensure that a penetration test provides optimal business value in the most cost-effective manner?