A security program manager wants to actively test the security posture of a system. The system is not yet in
production and has no uptime requirement or active user base. Which of the following methods will produce a
report which shows vulnerabilities that were actually exploited?