Penetration testing is all about achieving goals and not about finding vulnerabilities.

Another one who gets it. I wrote about this a while back in my post, Vulnerability Assessment vs. Penetration Test.

Many very smart people in infosec completely miss (my opinion) the point on this--including Johannes Ulrich, CTO of SANS. He thinks that the definition of a *poor* pentest is going after a single goal and not finding *ALL* the vulnerabilities.

My point, and presumably Joshua Abraham would agree, is that there is already a name for a test where you enumerate vulnerabilities. It's called a vulnerability assessment.

Very simple: If you're making a list of problems, it's a vulnerability assessment; if you're trying to exploit whatever you find in order to accomplish a specific goal, it's a pentest.