Is pen testing software real or simulated?

[tejas43]

I'm curious if pen testing software actually launches real versions of the malware and viruses in your target environment, or if they use some type of sandbox to safely test these things? In other words, could someone buy pen testing software and use it to actually hack into someone's system without their permission?

[jerry.webb]

We usually test in a Virtual Machine running on a PC - this way we can set the initial OS image up just in the same way as it would be on an end-user device and take a snapshot of it to use for tests for different customer configurations. We use Oracle Virtual Box or similar. I am not sure I understand the question about someone taking over your PC remotely? Using pen tester software we could take over a remote PC if there is a vulnerability in the software. The pen tester is looking for vulnerabilities that haven't been fixed in a VM rather than testing a take-over attempt. One cannot tell a real machine from a virtual machine easily.