research paper on penetration testing

IEEE Account

• Change Username/Password
• Update Address

Purchase Details

• Payment Options
• Order History
• View Purchased Documents

Profile Information

• Communications Preferences
• Profession and Education
• Technical Interests
• US & Canada: +1 800 678 4333
• Worldwide: +1 732 981 0060
• Contact & Support
• About IEEE Xplore
• Accessibility
• Terms of Use
• Nondiscrimination Policy
• Privacy & Opting Out of Cookies

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. © Copyright 2024 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.

• Open access
• Published: 06 February 2017

Overview and open issues on penetration test

• Daniel Dalalana Bertoglio 1 &
• Avelino Francisco Zorzo 1  

Journal of the Brazilian Computer Society volume  23 , Article number:  2 ( 2017 ) Cite this article

31k Accesses

25 Citations

Metrics details

Several studies regarding security testing for corporate environments, networks, and systems were developed in the past years. Therefore, to understand how methodologies and tools for security testing have evolved is an important task. One of the reasons for this evolution is due to penetration test, also known as Pentest. The main objective of this work is to provide an overview on Pentest, showing its application scenarios, models, methodologies, and tools from published papers. Thereby, this work may help researchers and people that work with security to understand the aspects and existing solutions related to Pentest. A systematic mapping study was conducted, with an initial gathering of 1145 papers, represented by 1090 distinct papers that have been evaluated. At the end, 54 primary studies were selected to be analyzed in a quantitative and qualitative way. As a result, we classified the tools and models that are used on Pentest. We also show the main scenarios in which these tools and methodologies are applied to. Finally, we present some open issues and research opportunities on Pentest.

Introduction

The security risks for companies, organizations, and entities that work with sensitive data, from the public sector or not, are more than evident. In many situations, these companies are not able to understand the extension of the actual complex communication structures and have just a little or no control of them [ 1 ]. Furthermore, these risks are even bigger when applications that run on their computing infra-structures are taken into consideration. The risks that are not controlled may increase the number of security attacks that can become big financial losses.

Usually, security can be guaranteed by some protection mechanisms: prevention, detection, and response. Prevention is the process of trying to stop intruders from gaining access to the resources of the system. The detection occurs when the intruder has succeeded or is in the process of gaining access to system. Finally, response is an aftereffect mechanism that tries to respond to the failure of the first two mechanisms. It works by trying to stop and/or prevent future damage or access to a facility [ 2 ].

However, assessing the security state is a continuous and necessary task to understand the risks there exist. This assessing is usually performed through security tests. So, the use of the right techniques for security testing is an important task to minimize the existing security risks in any corporation [ 3 ].

One of the known forms to assess the state of security and reduce security risks is called penetration test (Pentest). Pentest is a controlled tentative to penetrate into a system or network in order to identify vulnerabilities. Pentest applies the same techniques that are used in a regular attack by a hacker. This alternative allows that appropriate measures are taken in order to eliminate the vulnerabilities before they can be explored by unauthorized people [ 4 ].

These regular attacks are made with the aim to read, damage, or steal data. The attacks can be classified as follows [ 5 ]:

Denial of service (DoS): an attacker makes some computing resources too busy to handle legitimate requests.

Remote to user (R2L): an attacker who does not have an account on a remote machine sends packets to that machine over a network and exploits some vulnerability to gain local access as a user of that machine.

User to root (U2R): an attacker starts out with access to a normal user account on the system and is able to exploit system vulnerabilities to gain root access to the system.

Probing: an attacker scans a network of computers to gather information or find known vulnerabilities. An attacker with a map of machines and services that are available on a network can use this information to look for exploits.

Based on this classification, some of the activities are related to the Pentest process. Usually, the Pentest process may be divided into the following activities: data gathering of the target system; scaning the target system to identify the available services/protocols; identifying existing systems and applications that are running on the target system; and identifying and exploit the known vulnerabilities on the systems and applications [ 6 ]. Further to the objective mentioned in the previous paragraph, Pentest can be applied also to understand whether the security team is performing their task appropriately or whether the companies security process is comprehensive.

The process to apply Pentest can be a way to evaluate the security level of a system. The stronger the Pentest is, the more complete is the evaluation of the weakness/strength of a system. Regarding the activities and criteria of Pentest, there are several issues that have to be taken into consideration, for example, legal implications and type of information that is being accessed. As such, the application of Pentest can be classified as follows [ 4 ]:

Information base: level of knowledge about the company before the execution of Pentest.

Aggressiveness: depth level of the test, i.e., determine whether it is trying to identify the main vulnerabilities or whether it should exploit all possible attacks.

Scope: set for a specific environment or to a general environment.

Technique: what are the techniques and methodologies used on Pentest.

In order to understand how Pentest is being investigated or how Pentest has evolved in the past years, this work presents a systematic mapping study (SMS) [ 7 ] that was conducted to map out the Pentest field. Moreover, this paper aims also to identify research trends, methodologies, scenarios, and tools in Pentest. An SMS is considered a secondary study to find and aggregate evidences available about a specific subject. Therefore, it provides an overview of a research area, identifies the quantity, quality, kind of research, and the available results. Hence, this study will be able to serve as base for primary studies, once the results may identify the answers related to available models, scenarios, and tools. Also, it provides a discussion about the existing open issues in the area. The main contribution of this paper is to provide an overview about the studies on penetration test.

This paper is organized as follows. The “ Related work ” section describes some related studies considering the mapping of the concepts in a Pentest context. “ Systematic mapping study ” section describes the SMS planning that presents the systematic mapping planning; conduction that presents the activities related to the SMS; results that describes all obtained results; and threats to validity that lists the possible threats to the validity of this study. “ Discussion ” section presents the discussions based on the defined research questions. The “ Lessons learned and future directions ” section discusses the main contributions and lessons learned in this study and point out some open issues. The “ Removing vulnerabilities: before deployment ” section presents some discussion on other ways that might be used for removing vulnerabilities before the system is deployed. Finally, the “ Conclusion ” section presents the final considerations about this research.

Related work

In the last years, Pentest became an important area and several studies have been developed and applied to improve security in data, systems, and networks. However, there are just a few mapping studies, surveys, or overviews that gather this information in order to show researchers what has been done and what directions they should follow.

Mirjalili and Alidoosti [ 8 ] present a survey about Web Pentest, discuss models, and compare vulnerability scanning tools. Besides, they gather works that have new proposals of methods or tools for Web Pentest. Their work shows a selection of primary studies identified in three different ways: studies comparing methods and tools that already exist, studies suggesting a new method or tool, and studies that suggest test environments for Web Pentest. Firstly, the research shows a comparison between 13 different open-source scanning tools, evaluating different criteria regarding their structure (interface, settings, usability, stability, and performance) and their features (spider, manual crawl, file analysis, logging, and reports). A comparison regarding the same criteria is also performed among seven commercial scanning tools, evaluating only their features. In general, the authors insert their main contributions around the relationship between the operation of the vulnerability scanning tools and its application scenarios, target environments, and limitations.

Al-Ghamdi [ 9 ] discusses the existing security testing techniques. The study focuses on Pentest considering other test techniques, such as, fuzz testing, binary code analyses, and vulnerability scanning. Conceptually, the author treats Pentest as ethical hacking and highlights the division of Pentest in black box, white box, and gray box.

Bishop [ 10 ] treats the details in Pentest, discussing the correct interpretation of the Pentest, and reiterates the need of a detailed analysis about the activities that are part of a Pentest. In the same way, Geer and Harthorne [ 11 ] show the main approaches and opinions about Pentest in a study that is used by several different studies as a conceptual base.

• Systematic mapping study

In particular, the idea behind a SMS is to provide a process to identify and to investigate a specific research area. A systematic literature review, on the other hand [ 12 ], aims to analyze, evaluate, and interpret all the available research papers for a determined research question. The SMS provides a broader approach in relation to the existing primary studies for a research theme.

For this objective, this SMS follows the process proposed by Petersen et al. [ 7 ], as shown in Fig. 1 .

Systematic mapping study process

The process shown in Fig. 1 is divided in three phases: planning phase, conduction phase, and reporting phase. Each phase is composed of activities. The SMS planning is described in this section, while the study conduction is presented in the “ Conduction ” section and the SMS report phase is discussed in “Result analysis” section. The activities inside each phase of the process result in artifacts.

Scope and objective

In this SMS, we focus on identifying the main contributions regarding penetration tests and to provide an overview about models, methodologies, and tools used in this research area. Therefore, the aim of this research is to provide foundation about the Pentest process and its general structure. The results can allow a comprehensive analysis for researchers, security analysts, and other correlated professionals through the discussion about such models, methodologies, and tools.

Question structure

The structure of this SMS is based on the PICO (Population, Intervention, Comparison, Outcome) criteria [ 12 ].

Population: establishes the target population of the research method execution. In this paper, the published research papers are on information security.

Intervention: represents the specific issue related to the research objective. Here, the intervention is penetration test.

Comparison: defines what will be compared with the intervention. In this systematic mapping, the comparison is not applied.

Outcome: the obtained results, like type and quantity of the evidences regarding penetration tests, in order to identify the tools, models, methodologies, scenarios, and main challenges in this area.

Research questions

We defined the following research questions (RQ):

What are the main tools used in Pentest?

Question defined to identify the tools that are used for Pentest, since in Security Testint, the tool set is very broad.

What are the target scenarios in Pentest?

Question to identify the environments, contexts, and applications that normally represent the Pentest target.

What are the models used in Pentest?

Question to determine if the standardization in Pentest area is a consolidated alternative and what are the related methodologies and standards.

What are the main challenges in Pentest?

Question to map the main open problems, challenges, and possibilities to new studies in Pentest.

Research process

Databases. In order to perform our research, we selected databases that (1) have a web-based search engine; (2) have a search engine able to use keywords; and (3) contain computer science papers. Our selection includes ACM Digital Library, IEEE Xplore, Scopus, and Springer Link.

Terms and synonyms. Based on the RQ, we have used structured terms (shown in Table 1 ) to construct the search string. The adopted terms are suggested considering an evaluation to identify and map the whole context of Pentest. Although terms related to attack methods or specific tools are not considered, generic terms are specified to find the largest number possible of related studies in Pentest.

String. We have used the logical operator “OR” to select alternate words and synonyms, and the logical operator “AND” to select terms for population, intervention, and outcome (see Fig. 2 ).

Search string

Inclusion and exclusion criteria

One of the essential activities during the SMS planning is the definition of the inclusion criteria (IC) and the exclusion criteria (EC). Such criteria are responsible for supporting the selection of the appropriate papers and are employed to reduce the number of papers that will be analyzed. For example, if a paper is classified in at least one IC, it will be included as a primary study; on the opposite, if a paper is related at least one EC, it will be excluded. Whenever there was a conflict between IC and EC criteria, the researchers involved in this SMS would have a discussion to resolve the conflict. In our SMS, we defined the following IC and EC:

IC1. The primary study discusses one or more tools for Pentest

IC2. The primary study suggests a model, process, framework, or methodology for Pentest

EC1. The primary study is not direct related to Pentest

EC2. The study shows a Pentest methodology but does not provide enough information about its use and application

EC3. The study does not have any kind of evaluation to demonstrate outcomes, e.g., case study, experiment, or proof of correctness

The whole SMS was conducted by two researchers, in which, papers would be included or excluded only after a discussion between them achieved an agreement. Basically, one researcher would list all the papers and apply the inclusion and exclusion criteria, and the second researcher would also check whether the papers should be included or excluded. After a meeting to check for discrepancies, the final list of papers that should be analyzed was produced.

Quality assessment criteria

The purpose of the quality assessment criteria (QA) is to ensure the appropriated evaluation of the studies, as a way to measure the relevance of each of them. The quality assessment criteria are:

QA1. Does the study present a contribution to Pentest?

QA2. Is there any kind of evaluation based on analysis or discussion about the use of the models or tools for Pentest?

QA3. Does the study describe the used tools or models?

For each one of the quality assessment criteria questions, we applied the following score: Y (yes) = 1; P (partly) = 0.5; N (no) = 0. Thereby, the total score (result of QA1 + QA2 + QA3) can result in as follows: 0 or 0.5 (limited), 1 (regular), 1.5 (good), 2 (very good), and 2.5 or 3 (excellent).

In order to grade each paper, the reader has to respect the following criteria:

QA1. Y, the contribution is explicitly defined in the study; P, the contribution is implicit; and N, the contribution cannot be identified and/or it is not established;

QA2. Y, the study has explicitly applied an evaluation (for example, a case study, an experiment, or another); P, the evaluation is a short example; and N, no evaluation has been presented;

QA3. Y, the tools or models are clearly specified; P, the tools or models are barely specified; N, the tools or models were not specified

The quality criteria are applied on each evaluated paper. Besides, these criteria do not consider the details of tools or models described in the selected research papers.

Selection process

Our selection process is divided into six steps, as shown in Fig. 3 :

Step 1. To search databases. Initially, the search strings are generated based on keywords and their synonyms. After that, an initial selection occurs based on the inclusion and exclusion criteria mentioned in the “ Inclusion and exclusion criteria ” section.

Step 2. To eliminate redundancies. As the results come from different search engines, the redundant studies are eliminated and stored.

Step 3. Intermediate selection. The title and the abstract of each selected study are read (introduction and conclusion are also read when it is necessary).

Step 4. Final selection. In this step, all studies are completely read.

Step 5. To eliminate divergences. If there are any divergences or doubts about the studies, a second Pentest specialist reads the studies and discusses its inclusion or not in the final selection;

Step 6. Quality assessment. Based on the quality criteria previously mentioned, the quality of the studies in the final selection are evaluated.

Selection studies process

Data analysis

The collected data was tabulated to:

Identify the tools used on Pentest and their characteristics (RQ1);

Map the main Pentest application domains (RQ2);

Enumerate the studies that have been selected by models or specifications (RQ3);

Gather the studies selected by research type and contribution (RQ4).

The SMS conduction describes the execution of the search process based on the previously defined string. We conducted the SMS in two periods. The former ended in June 2015, and 1019 papers, published between 2005 and 2015, were retrieved. The latter started in August 2016 and finished in October 2016 when 126 papers, published between 2015 and 2016, were retrieved. In total, 1145 papers were retrieved. In this section, we present in details the steps “Search databases” and “Quality assessment”.

Search databases

The 1145 returned papers were retrieved through the submission of the search string to the four databases mentioned in the “ Research process ” section. With the exclusion of 55 duplicated studies, the title and the abstract of 1090 were read and 78 were selected, which fulfilled one of the inclusion criteria. During the fourth step, all 78 papers were read and 5 of them were removed because they had no straight relation to the expected contributions. From the 73 remaining papers, 19 were excluded after the quality assessment step (step 6). Table 2 shows the total of the remaining primary studies from each database.

Study quality assessment

The inclusion/exclusion criteria, previously mentioned, provide the basis to discuss the applied quality assessment criteria. These criteria help, as the main objective, to evaluate the reliability of the primary studies. Table 3 shows the quality score of the studies. Each study is identified by the column ID, its reference is shown on the column Reference and the year of publication in the column Year. Columns 1, 2, and 3 show the scores from the QA. Column Sc shows the final score for each study, while column Des describes the classification of the study based on the score. As a final result, it is possible to identify that the selected studies are the studies that got at least a score of 1.5.

Result analysis

Classification schemes.

One of the activities of the SMS, i.e., “keywording relevant topics” (see Fig. 1 ), is to decide how the studies will be classified. This activity was executed in two steps: firstly, we read the abstracts of the papers (introduction and conclusion, when necessary) and identified keywords, concepts, and the research context. In the second step, keywords are merged and combined for a more detailed understanding of each selected study. This second step helps the definition of some aspects in the mapping process, where each activity provides the identification of the following aspects: (i) target-scenarios, for example, web applications, web services, network and communication protocols, software and applications, and others; (ii) research type, for example, empirical study, experimental study, industrial experience, opinion papers, proof of concept, and theoretical; (iii) contribution type, for example, tools, frameworks, models, methodologies, strategies, techniques, or approaches; (iv) Pentest methodologies, for example, OSSTMM (Open Source Security Testing Methodology Manual), OWASP Testing Guide, ISSAF (Information Systems Security Assessment Framework), among others. This classification can be seen in Figs. 4 and 5 and the “ Discussion ” section.

Bubble plot of the distribution of the studies by scenario and by year

Bubble Plot of the Scenarios distribution by search type and contribution

This section presents a qualitative assessment of the literature regarding the research questions. Firstly, Fig. 4 shows a bubble graph with the domain distribution of target scenarios in relation to the publication year, where the bubble size indicates the number of related studies at each intersection of the axes.

Studies are grouped by year, so it is possible to visualize how the Pentest has been developed in the last years. As can be seen in Fig. 4 , only one study is older that 10 years and it was not ruled out once it is characterized as a primary reference for this SMS. Another characteristic that can be noticed in the figure is that Pentest applied to the web application context is the theme that has showed the biggest frequency in the last years. Therefore, it shows that web application scenarios is one of the main research topics and that it is a live one. Nevertheless, we can see that other Pentest scenarios are still relevant, e.g., network protocols and services.

The analysis of Fig. 4 is related to research question RQ2. Naturally, these scenarios have a strong influence on the tools that were developed or applied to each context, as mentioned in the selected studies.

Meanwhile, Fig. 5 shows the relationship of the target scenario with the contribution and research type. Hence:

Discussion on methodologies for Pentest: 15 of the selected and analyzed primary studies present as their main contribution discussion on methodologies. This point encourages discussions about the existing methodologies for the application of Pentest, dealing mainly the deep level of the testing knowledge, since for certain scenarios it becomes interesting to use more models for each security testing process.

Distribution of the types of research: 37 studies, representing 68,5% overall, were analyzed and characterized as empirical studies. This results seems coherent with the way normally studies on the Pentest area are performed, i.e., research papers are applied to a specific area and therefore are not general strategies that can be applied to any context.

Threats to validity

The main identified threats that can compromise the validity of our SMS in Pentest are:

Publication bias: refers to the possibility of some papers that are not selected or published because the research results did not yield the desired outcome or because the research was conducted on topics that do not fit into the common computing conferences and journals. As we analyzed 1019 papers on Pentest, our SMS was not restricted to a small sample of the available papers; thus, it minimizes the risk that some unpublished papers during the searching process impact the SMS results.

Primary studies selection bias: usually, the SMS authors cannot guarantee that all relevant primary studies were returned during the search process and during the evaluation. In this sense, the established quality criteria as well as the allocation of scores aim to mitigate that threat.

Unfamiliarity with other fields: a search string was defined based on experience and authors’ knowledge, but we cannot completely avoid the possibility that some terms defined in the search string have synonyms that we have not identified.

In this section, we present and discuss the answers of our research questions.

RQ1—what are the main tools used in Pentest?

After the analysis of the selected studies, we identified 72 tools that are used in Pentest. Among the 72, twelve (12) are categorized as tools for static analysis, which is a technique for security analysis. These tools are relevant because of their usefulness in the analysis and identification of code vulnerabilities, an important task in the Pentest process.

The Pentest process is divided, basically, into three phases: pre-attack, attack, and post-attack. The three stages are formed by five phases, according to the hacking process: reconnaissance (pre-attack), scanning (pre-attack), gaining access (attack), maintaining access (attack), and covering tracks (post-attack). Each phase can be briefly described as follows [ 1 ]:

Reconnaissance: Reconnaissance is the process of obtaining essential information about a target organization. In most cases, attackers will find out as much as they can usually by obtaining public information or masquerading as a normal user.

Scanning: In this phase, remotely accessible hosts are mapped. Network scanning can also sometimes reveal the vendor brands of systems being used, as well as identify operating system types and versions. Network scanning helps to determine firewall location, routers in use, and the network’s general structure.

Gaining access: Vulnerabilities exposed during the reconnaissance and scanning phases are exploited to get access to the target system.

Maintaining access: Once the access to a target system was achieved, it is necessary to keep this access for a future exploitation and attack.

Covering tracks: The last phase covers tracks to avoid detection after the hacker has achieved the access.

The other 60 tools are mainly used for vulnerability scanning. Usually, they are tools used in the early stages of Pentest. We can also mention that tools for traffic monitoring, or intrusion phase, are also part of a significant portion of the analyzed studies.

Based on the analyzed papers, we identified 13 tools as the most cited ones. Hence, Table 4 presents the main tools used in Pentest, showing for each tool: its manufacturer, type of license, category, and phase in which it is applied during Pentest.

It is important to mention that detailed information about the tools are not present in most studies. The studies show the relevant contribution of the each tool within specific contexts along with the Pentest process. Thus, we had to look for their features and documentation directly in their websites or repositories.

RQ2—what are the target-scenarios in Pentest?

The SMS results show that the Pentest process is applied to several specific target scenarios. These scenarios can be divided in web-based applications and systems [ 13 – 33 ], web services [ 34 – 39 ] network protocols and devices [ 11 , 14 , 40 – 52 ], software and desktop applications [ 53 – 56 ], network game devices [ 57 ], SAML frameworks [ 58 ], physical penetration [ 59 ], operating system [ 60 ], critical infrastructure [ 61 ], and process control system [ 62 ]. Figure 4 shows the different target scenarios that have a diversity in relation to the number of studies, and as mentioned before, most of the studies are related to web-based applications, network devices, and protocols contexts.

RQ3—what are the models of Pentest?

Regarding security testing models, the results obtained in this SMS are classified on methodologies and categories.

The categories describe, based on the taxonomy of the security testing process (see the “ Background ” section), how/what is the knowledge about the target information for the test execution. The security test models are categorized into white box, gray box, and black box. White box describes the test in which the tester has the complete knowledge about the infrastructure to be tested [ 24 , 63 ]. Black-box, in contrast, assume that there is no prior knowledge about the environment. Most of the studies and research papers, mainly around vulnerability discovery tools, perform black box tests [ 32 , 34 , 64 ]. Gray box test represents the middle ground between black box and white box, in which the amount of information about the target is not complete but it is also not non-existent. Among the analyzed papers, Avramescu et al. [ 17 ] give an example of gray-box test application.

Analyzing the returned studies, it was possible to identify the following methodologies, frameworks, and security testing models: OSSTMM [ 24 , 28 , 54 , 59 , 61 , 65 ], ISSAF [ 28 , 61 ], PTES (Penetration Testing Execution Standard) [ 24 ], NIST (National Institute of Standards and Technology) Guidelines [ 28 , 61 ], and OWASP Testing Guide [ 24 , 54 , 65 ]. Concerning the classification of the models, there exist three approaches to Pentest [ 1 ]: Exploratory Manual Pentest, Automated Pentest, and Systematic Manual Pentest.

OSSTMM is an international standard methodology for security testing, maintained by ISECOM (Institute for Security and Open Methodologies). The test begins by settings that are established from the scope, representing all possible operational security environment for interaction with any asset. The scope consists of three classes: COMSEC (communications security channel), PHYSSEC (physical security channel), and SPECSEC (spectrum security channel). These classes are divided into five channels before being used by the tester: human, physical, wireless, telecommunications, and data networks. Those channels are used to conduct the test and contain specifications for the security assessment according to the test scenario. There are no indicated tools for the testing process, only information about the tasks to be executed for each channel. Finally, the test ends with the Security Test Audit Report (STAR), which contains data obtained during the activities.

The ISSAF methodology provides a framework able to model the internal control requirements for information security and aims to assess the security of networks, systems, and applications. Its design is structured in three main areas: planning and preparation, evaluation and report, and cleaning and destruction of artifacts. The first area covers the steps required to set the test environment, test tools, contracts and legal aspects, definition of engagement team, deadlines, requirements, and structure of the final reports. The evaluation area is the core of the methodology, where security tests are executed. This phase has other nine main activities, which follow the basic flow of an attack (recognition, invasion, and post-invasion), previously mentioned.

The PTES methodology describe the steps to perform the activities that are required to accurately test the security state in an environment. The purpose of the methodology is not to establish rigid patterns for a penetration test. The community of analysts and security professionals responsible for creating the methodology suggest that the guidelines for the security evaluation process of an environment should be comprehensible for organizations. Therefore, the technical guidelines help to define procedures to follow throughout a Pentest, enabling the methodology to provide a basic structure to initiate and conduct a security test. The methodology consists of seven phases: pre-engagement interactions, which defines the testing scope (goal, target, test type, date, and time); intelligence gathering, which deals with the enumeration and scanning information of the target system; threat modeling, where the attack vectors are analyzed from the information obtained in the previous phases; vulnerability analysis, which deals with the detection of vulnerabilities of the target system; exploitation, used to exploit found vulnerabilities; post-exploitation, which covers the tracks and also performs additional exploitations; and reporting, which is to write the final report to be sent to the customer.

The methodology proposed by NIST (National Institute of Standards and Technology) was initially introduced as a GNST (Guideline on Network Security Testing), reproduced in the Special Publication 800-42, and its continued version is presented in Special Publication 800-115 as “Technical Guide to Information Security Testing and Assessment”. Basically, the structure follows four stages: planning, where the system is analyzed to find the most interesting test targets; discovery, where the tester looks for vulnerabilities in the system; attack, where the tester verifies that the found vulnerabilities can be exploited; and report, where each result from the actions taken in the previous step is reported. In the attack stage, the following activities are also present: gaining access, escalating privileges, system browsing, and install additional tools.

OWASP has a methodology driven by the idea of making secure software a reality, and therefore, the guidelines are directed towards testing security for web applications. In most software development organizations, security concerns are not present in the development process. Then, the methodology idealizes the use of security testing as a means of awareness and is based on other projects provided by the OWASP as the Code Review Guide and Development Guide. The methodology is divided into three main stages: the introductory stage, which deals with the preconditions for testing web applications and also the testing scope; the intermediate stage, which presents the OWASP Testing Framework with its techniques and tasks that are related to the different phases of the Software Development Life Cycle; and the conclusive stage that describes how vulnerabilities are tested by Code Review and Penetration Testing.

Based on that, the evaluation of methodologies is performed using some of the features described next. Figure 6 shows a comparison on the methodologies discussed in this SMS.

Comparison between the models for Pentest

The classification of the features is categorized as follows:

Meet (M): Provides detailed definitions and concepts to deal with that feature in an appropriate manner.

Partly meet (PM): Issues about the feature are mentioned, but without the necessary robustness.

Not meet (NM): The methodology does not mention anything related to the feature.

Coverage. Initially, one of the important criteria for a security test is the scope. Scope refers to the concerns of the test range over possible scenarios. The OSSTMM [ 66 ], ISSAF [ 67 ], PTES [ 68 ], and NIST [ 69 ] methodologies are easily integrated and can be tailored to applications and operating systems, databases, physical security assessments, and web applications. However, the OWASP Testing Guide [ 70 ] model has a precisely defined focus: web applications and services. In this sense, the coverage of this methodology can represent a limitation.

Flexibility. The possibility of integrating new items and additional directions at security testing from the results obtained in each step or phase of the methodology is an important feature in the current context of security checks. In this sense, even if a static definition of plans and steps to be followed is a prime requirement, the flexibility to include new items makes a methodology more interesting. For this feature, the model provided by NIST allows the testers to have greater dynamism throughout the test, since they can consider and reevaluate their artifacts in each activity. In contrast, some methodologies, such as, ISSAF, OSSTMM, and OWASP Testing Guide, while consolidated and extremely robust, limit such flexibility by treating the execution scenarios.

Modeling. By defining the detailed aspects and concepts for guiding the testing process, the model may even limit the flexibility but increments the quality of modeling. These key concepts facilitate the tester in their activity to model the entire flow of test actions, in addition to modeling the system and target environment. This confirms a crucial point for security testing, which is the elimination of possible ambiguity in respect of each subsequent step that will be performed. For this characteristic, OSSTMM, OWASP Testing Guide, and PTES models meet this, especially in the way they approach the planning stage of its testing process.

Adaptation. It is important to have well-defined concepts in order to avoid possible ambiguities and, therefore, impact the adaptation factor. Moreover, the possibility to adapt models and actions for different environments produces a more complete security test flow. Among the possible adaptations are, for example, the choice of test type, test plan, or test scope. From the studied methodologies, on one hand, OSSTMM is the one that can better fulfill this feature, since it has a process with well-defined activities. On the other hand, the PTES methodology presents some limitations for not detailing how adaptations could be performed.

Planning. The whole set of requirements defined in a security test must be properly planned prior to the start of the test execution. Thus, planning is a feature that is the support provided to the tester for the definition phase, implementation of activities, prerequisites for continuation, and progress of the test, choice of tools to be used and also the expected return for each activity within the test. PTES is a methodology that provides this type of feature. It describes, carefully, all the planning that must be defined, in addition to establishing the set of tools, and how to operate them, that will be used in each activity from the Pentest. OSSTMM and NIST, since they try to provide great flexibility, do not focus on providing a very detailed planning.

Documentation. Finally, we can also consider the documentation as part of the key features of setting up a Pentest. All studied methodologies provide how the documentation has to be produced. Only PTES does not provide a complete description of how to produce a documentation that contains detailed explanations of each process and activity. For this reason, it is the only one of the models that does not fully meet this feature.

RQ4—what are the main challenges on Pentest?

In the previous sections, we analyzed the relationship among the target scenarios, tools, and models. Based on that we can draw some initial research challenges on Pentest. One of the main problems discussed in some of the analyzed studies is regarding the efficacy in the process of vulnerability assessment . Another challenging research area is how to provide models and tools to ensure high security levels to some specific target scenarios . These challenges are related to different types of problems, for example, the complexity of some attacks, discovery of new vulnerabilities, and changes in the environments can change the applicability of Pentest.

Furthermore, the automation of activities execution for Pentest can also be considered a challenge. Several of the studies, presented in the previous sections, discuss or present ways to increase the efficiency and efficacy of Pentest throughout automation, for example, for the activity of vulnerabilities discovery. This will help to avoid bias by the testers when they are executing such activity.

The formalization of methodologies/models disseminated in the security community provides the robustness required for best practices in Pentest. Still, another challenge is precisely related to this: the specific lack of models that address the Pentest process .

More on the challenges for Pentest will be discussed in the “ Lessons learned and future directions section.”

Lessons learned and future directions

Through the research questions answered in the previous sections, we present in this section some future directions and some discussions on tools, target scenarios, models, and main challenges in Pentest:

Target scenarios: One of the main goals of a security test is to assess the security of the resources, devices, controls, or systems, considering a great diversity of target-scenarios. The majority of the studies that we found considers the web context as top priority when testing security; to a minor extent, network environment and its protocols are also considered important. However, there is almost none discussion on security testing in scenarios such as cloud computing, mobile devices, or solutions related to IoT (Internet of Things). Therefore, studies about security testing applications—especially Pentest—in those scenarios, for example, present the possibility of groundbreaking discoveries and improvements through new studies.

Models and methodologies: As presented previously, the existing methodologies for security testing contain several variations in their characteristics, objectives, and procedures; however, those methodologies also have limitations regarding target scenarios since they are tailored to serve distinct purposes. Therefore, we believe that none of the so-called “standard” methodologies could be used to execute Pentest considering the variety of target-scenarios. This could be considered one of the core lessons of this systematic mapping since it presents an open challenge in the security testing area. Creating a new methodology or strategy that could manage the diversity of target scenarios and the aspects—advantages and disadvantages—of any existing methodology could potentially point towards a new and interesting path for future studies in security.

Tools and task automation: During the security testing process, several tools are used for each activity, and tools listed when answering research question 1 (RQ1) are some of the most consolidated in the current research context. Those tools have specific purposes in each testing phase, and the testers can determine when and how those tools will be utilized according to their preferences. Among the tools, it was possible to notice that applications that scan and identify vulnerabilities are the ones that are most cited/mentioned in the research papers. Sometimes those tools are not as adequate for some of the strategies testers use; hence, it is necessary to have some study to verify to what extend those automated tools solve the testers goals. In this sense, the idea of attack graphs is considered a topic related to automation in Pentest. Sarraute et al. [ 42 ] discuss that attack graphs have been proposed as a tool to help testers understand the potential weaknesses in the target network, once that assessing network security is a complex and difficult activity. A better explanation about attack graphs is described in [ 71 ]. According to their review, attack graphs are used to determine if designated goal states can be reached by attackers attempting to penetrate computer networks from initial starting states. The graphs are made by nodes and arcs, representing the attacker actions (normally involve exploits or exploit steps that take advantage of vulnerabilities) and the changes in the network state caused by these actions. The goal of these actions is for the attacker to obtain typically restricted privileges on one or more target hosts. An attack graph must show all possible sequences of attacker actions that lead to the desired level of privilege on the target. It is possible to use nodes to represent network states and arcs to represent attack actions, while some use other representations like nodes for both actions and networks states and also with actions that are nodes and network states that are arcs [ 71 ]. The idea of tools or frameworks that help the tester in the most insightful way during the entire process is an interesting possibility; future studies could study how to bring a better balance to the complexity of testing and the comprehension of the results.

Dynamics and test reprocessing: Since a Pentest requires the identified vulnerabilities to be exploited, the test activities can be modified according to the consequences of this exploitation. This change affects directly the test dynamics and flow, and some decisions during the activities execution depend on the tester discernment. Nevertheless, a point that is not considered in the related studies, mentioned in this systematic mapping, refers to the flexibility of security testing applications allied to the concerns of reprocessing the stages during the test. In this sense, a continuous evaluation of the executed tasks with the intention of installing verification cycles could result in an increased test efficacy or efficiency, which could potentially facilitate the enumeration of new attack vectors.

Removing vulnerabilities: before deployment

Despite the main objective of this paper, i.e., to find tools and strategies to test vulnerabilities when the application has already been deployed, there has been a lot of work also on removing vulnerabilities from an application before it is deployed. This is performed during design, development, and testing phases of the software development life cycle. Therefore, this section discusses some of the works that seek to remove vulnerabilities using, basically, testing strategies. It is important to mention that the papers mentioned in this section were not found through an SMS, since this could be subject for a completely new paper.

Avgerinos et al. [ 72 ] present a system for automatic vulnerability scanning, called AEG . The study describes some important contributions and shows how to generate exploits for hijacking attacks that can be formally modeled. AEG tool was implemented because of insufficient and inadequate source code analysis, a type of evaluation that does not fall into the category of security testing. AEG is designed to work in the process of bug-finding and to generate exploits.

Hossen et al. [ 73 ] propose an approach for generating test driver using a crawler that identifies the needed information. The article is a study directed to the context of model-based testing and model inference and not for penetration testing. Other similar publications have also been excluded from the first phase of our mapping, through the inclusion and exclusion criteria.

Felderer and Schieferdecker [ 74 ] present a taxonomy of risk-based testing providing a framework to understand, categorize, assess, and compare risk-based testing approaches to support their selection and tailoring for specific purposes. The discussion on this study is based on the fact that software testing has often to be performed under severe pressure due to limited resources and a challenging time schedule. The taxonomy presented is aligned with the consideration of risks in all phases of the test process and consists of the top-level classes risk drivers, risk assessment, and risk-based test process. In general, the authors mention that risk-based testing uses risk re-assessments to steer all phases of the test process to optimize testing efforts and limit risks of the software-based system.

Botella et al. [ 75 ] introduce an approach guided by risk assessment to perform and automate vulnerability testing for web applications, called risk-based vulnerability testing. This approach is intended to security testing and adapts model-based testing techniques, which are mostly used currently to address functional features. The paper also mentions that the proposed approach extends model-based vulnerability testing techniques by driving the testing process using security test patterns selected from risk assessment results. In general, the study describes a model used for automated test generation that captures some behavioral aspects of the web applications and includes vulnerability test purposes to drive the test generation process.

Doupé et al. [ 76 ] present discussions on a category of tools called “web vulnerability scanner”, responsible for finding security vulnerabilities in web applications. The purpose of this study is to detect vulnerabilities that other scanners do not detect, by inference a state machine that controls the changes of the web application. Actually, the use of these tools is usual in the security testing context, mainly in the pre-attack phase. Several other studies are similar to this work [ 32 ], because the automation to find vulnerabilities (whether known or not) is a complex and constantly evolving subject. Nonetheless, the authors do not mention any security testing, since the article is focused on the operation of the tools. At the search for vulnerabilities in web applications, the authors only mention the static code analysis, which as mentioned above, does not fit in the discussions around our systematic mapping.

Bouquet et al. [ 77 ] discuss the behavior of systems that are tested and executed through a set of selected stimuli, observing if the behavior conforms to the specification. The paper also defines that testing is a strategic activity at the heart of software quality assurance, highlighting that it is today the principal validation activity in industrial context to increase the confidence in the quality of systems. Nevertheless, they give an overview of the test data selection techniques and provide a state-of-the-art about model-based approaches for security testing.

Duchene et al. [ 78 ] present the KamaleonFuzz, a fuzzer for web applications designed to XSS detection (cross site scripting). The main idea is based on the concept of “fuzz testing,” which consists in the generation and automatic sending of malicious entries to achieve a vulnerability. A fuzz test can be categorized as a security testing, but with a different purpose from a penetration test, i.e., audit or vulnerability analysis. There is an approximation of the issues when the topic addresses to identify vulnerabilities, usually the main objective of security testing.

Godefroid et al. [ 79 ] present a solution developed as an alternative to black box fuzzing idea through the definition of white box fuzzing, called SAGE (Scalable Automated Guided Execution). White box fuzzing consists of a symbolic execution of a program, collecting restrictions on inputs found during execution. The proposal is directly related to security testing (in software), but does not point to Pentest. That solution type is characterized as a tool that seeks to discuss security in application development, rather than related to methods for assessing security states in companies and organizations.

McAllister et al. [ 80 ] present an automated testing tool to find XSS vulnerabilities in web applications. In this case, the study treats the bug detection before deployment, like other works previously discussed. This work discusses XSS attacks and presents a comparative of the proposed tool against other tools, e.g., Acunetix tool, that perform vulnerability scanning in web applications.

Kals et al. [ 81 ] present SecuBat, a generic web vulnerability scanner that automatically analyzes web sites with the aim of finding exploitable SQL injections and XSS vulnerabilities. The authors also discuss the types of security testing, black box and white box, relating to the tool operation. In addition, they analyze the differences between XSS attack types and conduct a case study to validate the study. As presented in other works discussed in our study, the contributions of this article are related to security testing performed in web applications, although not specifically in Pentest.

Huang et al. [ 82 ] describe some software testing techniques and suggest mechanisms to apply these techniques in web applications. The authors also discuss the evaluation of inputs that allow fault injection, and they propose algorithms to perform that. In this case, the security tests are similar to vulnerability assessments that consist of using exploits on application breaches.

Although there are several other studies related to intrusion detection system or security testing, e.g. [ 83 , 84 ], they were not included in our SMS because they were out of the scope of this paper.

The relevance of the penetration testing (Pentest) is clear from the research point of view. This subject has been widely targeted by researchers of testing and safety, mainly because the number of flaws and vulnerabilities has increased in the last years. This paper focused on mapping the Pentest field, identifying the application scenarios, usual tools and methodologies in different contexts, the main contributions and related challenges.

It was possible to draw some conclusions on how tools or methodologies are used to vulnerability assessment, network scanning, pre-invasion, post-invasion, and web analytics. From that, the results can help testers to define, within their testing scope, which tools or methodologies are indicated depending on the context or scope they will be applied to (see the “ Lessons learned and future directions ” section).

Based on the lessons learned, it was possible to notice that it would be important to have a set of recommendations aimed to improve and/or complement Pentest. This set of recommendations can be based on the existing methodologies. Thus, a proposed set of recommendations would address the strengths and limitations of the models and also would provide a flexible, dynamic, and many activities choices, steps, and other aspects inherent to a Pentest. Some preliminary results on a new methodology for Pentest that can be applied in different target scenarios is Tramonto [ 85 ].

Abbreviations

Exclusion criteria

Inclusion criteria

Information Systems Security Assessment Framework

National Institute of Standards and Technology

Open Source Security Testing Methodology Manual

• Penetration test

Population, Intervention, Comparison, Outcome

Penetration testing execution standard

Lam K, LeBlanc D, Smith BI (2004) Assessing network security. Redmond, Wash. Microsoft Press, Washington.

Google Scholar  

Kizza JM (2010) Guide to computer network security. Springer, London.

MATH   Google Scholar  

Zhao JJ, Zhao SY, Zhao SY (2010) Opportunities and threats: a security assessment of state e-government websites. Gov Inf Q 27(1): 49–56.

Article   Google Scholar  

Whitaker A, Newman D (2005) Penetration testing and Cisco network defense. Cisco Press, Indianapolis.

Peddabachigari S, Abraham A, Grosan C, Thomas J (2007) Modeling intrusion detection system using hybrid intelligent systems. J Netw Comput Appl 30(1): 114–132.

Henry KM (2012) Penetration testing: protecting networks and systems. IT Governance Publishing, UK.

Petersen K, Feldt R, Mujtaba S, Mattsson M (2008) Systematic mapping studies in software engineering In: Proceedings of the 12th International Conference on Evaluation and Assessment in Software Engineering. EASE’08, 68–77.. British Computer Society, Swinton.

Mirjalili M, Nowroozi A, Alidoosti M (2014) A survey on web penetration test. Adv Comput Sci Int J3(6): 107–121.

Al-Ghamdi ASA-M (2013) A survey on software security testing techniques. Int J Comput Sci Telecommun 4: 14–18.

Bishop M (2007) About penetration testing. IEEE Secur Priv 5(6): 84–87.

Geer D, Harthorne J (2002) Penetration testing: a duet In: Proceedings of the 18th Annual Computer Security Applications Conference, 185–195.. IEEE.

Kitchenham B, Charters S (2007) Technical report title: Guidelines for performing Systematic Literature Reviews in Software Engineering, EBSE 2007-001. Keele University and Durham University Joint Report.

Austin A, Holmgreen C, Williams L (2013) A comparison of the efficiency and effectiveness of vulnerability discovery techniques. Inf Softw Technol 55(7): 1279–1288.

Khoury N, Zavarsky P, Lindskog D, Ruhl R (2011) An analysis of black-box web application security scanners against stored sql injection In: IEEE Third International Conference on Privacy, Security, Risk and Trust (PASSAT) and 2011 IEEE Third International Conference on Social Computing (SocialCom), 1095–1101.. IEEE.

Xu D, Tu M, Sanford M, Thomas L, Woodraska D, Xu W (2012) Automated security test generation with formal threat models. IEEE Trans Dependable Secure Comput 9(4): 526–540.

Fong E, Gaucher R, Okun V, Black PE, Dalci E (2008) Building a test suite for web application scanners In: Proceedings of the 41st Annual Hawaii International Conference on System Sciences, 478–478.. IEEE.

Avramescu G, Bucicoiu M, Rosner D, Tapus N (2013) Guidelines for discovering and improving application security In: Proceedings of the 2013 19th International Conference on Control Systems and Computer Science. CSCS ’13, 560–565.. IEEE Computer Society, Washington.

Chapter   Google Scholar  

Walden J (2008) Integrating web application security into the it curriculum In: Proceedings of the 9th ACM SIGITE Conference on Information Technology Education SIGITE ’08, 187–192.. ACM, New York.

Mink M, Freiling FC (2006) Is attack better than defense? teaching information security the right way In: Proceedings of the 3rd Annual Conference on Information Security Curriculum Development. InfoSecCD ’06, 44–48.. ACM, New York,.

Armando A, Carbone R, Compagna L, Li K, Pellegrino G (2010) Model-checking driven security testing of web-based applications In: Third International Conference on Software Testing, Verification, and Validation Workshops (ICSTW), 361–370.. IEEE.

Garn B, Kapsalis I, Simos DE, Winkler S (2014) On the applicability of combinatorial testing to web application security testing: a case study In: Proceedings of the 2014 Workshop on Joining AcadeMiA and Industry Contributions to Test Automation and Model-Based Testing. JAMAICA 2014, 16–21.. ACM, New York.

Salas MIP, Martins E (2014) Security testing methodology for vulnerabilities detection of XSS in web services and WS-security. Electron Notes Theor Comput Sci 302: 133–154.

Büchler M, Oudinet J, Pretschner A (2012) Semi-automatic security testing of web applications from a secure model In: IEEE Sixth International Conference on Software Security and Reliability (SERE), 253–262.. IEEE.

Liu B, Shi L, Cai Z, Li M (2012) Software vulnerability discovery techniques: a survey In: Proceedings of the 2012 Fourth International Conference on Multimedia Information Networking and Security. MINES ’12, 152–156.. IEEE Computer Society, Washington.

Igure VM, Williams RD (2008) Taxonomies of attacks and vulnerabilities in computer systems. IEEE Commun Surv Tutorials 10(1): 6–19.

Leibolt G (2010) The complex world of corporate CyberForensics investigations. Humana Press, New York.

Book   Google Scholar  

Fonseca J, Vieira M, Madeira H (2010) The web attacker perspective—a field study In: ISSRE ’10 Proceedings of the 2010 IEEE 21st International Symposium on Software Reliability Engineering, 299–308.. IEEE.

Prandini M, Ramilli M (2010) Towards a practical and effective security testing methodology In: ISCC ’10 Proceedings of the The IEEE Symposium on Computers and Communications, 320–325.. IEEE, doi: 10.1109/ISCC.2010.5546813 .

Badawy MA, El-Fishawy N, Elshakankiry O (2013) Vulnerability scanners capabilities for detecting windows missed patches: comparative study In: Advances in Security of Information and Communication Networks: First International Conference, SecNet 2013, Cairo, Egypt, September 3-5, 2013. Proceedings, 185–195.. Springer, Berlin, doi: 10.1007/978-3-642-40597-6_16 .

Curphey M, Arawo R (2006) Web application security assessment tools. IEEE Secur Priv 4(4): 32–41. doi: 10.1109/MSP.2006.108 .

Huang YW, Lee DT (2005) Web application security—past, present, and future In: Computer Security in the 21st Century, 183–227.. Springer, Boston, doi: 10.1007/0-387-24006-3_12 .

Doupé A, Cova M, Vigna G (2010) Why Johnny can’t pentest: an analysis of black-box web vulnerability scanners In: Proceedings of the 7th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA’10, 111–131.. Springer, Berlin.

Awang NF, Manaf AA (2015) Automated security testing framework for detecting SQL injection vulnerability in web application(Jahankhani H, Carlile A, Akhgar B, Taal A, Hessami AG, Hosseinian-Far A, eds.). Springer, Cham.

Antunes N, Vieira M (2015) Assessing and comparing vulnerability detection tools for web services: benchmarking approach and examples. IEEE Trans Serv Comput 8(2): 269–283.

Mendes N, Durães J, Madeira H (2011) Benchmarking the security of web serving systems based on known vulnerabilities In: 5th Latin-American Symposium on Dependable Computing, LADC 2011, 25-29 April 2011, 55–64.. IEEE, São José Dos Campos.

Antunes N, Laranjeiro N, Vieira M, Madeira H (2009) Effective detection of SQL/XPath injection vulnerabilities in web services In: IEEE International Conference on Services Computing, 2009. SCC ’09, 260–267.. IEEE.

Mainka C, Somorovsky J, Schwenk J (2012) Penetration testing tool for web services security In: SERVICES ’12 Proceedings of the 2012 IEEE Eighth World Congress on Services, 163–170.. IEEE.

Antunes N, Vieira M (2016) Designing vulnerability testing tools for web services: approach, components, and tools. Int J Inf Secur: 1–23. http://link.springer.com/article/10.1007/s10207-016-0334-0 .

Benkhelifa E, Welsh T (2013) Security testing in the cloud by means of ethical worm In: 2013 IEEE Globecom Workshops (GC Wkshps), 500–505.. IEEE.

Hsu Y, Shu G, Lee D (2008) A model-based approach to security flaw detection of network protocol implementations In: IEEE International Conference on Network Protocols, 2008. ICNP 2008, 114–123.. IEEE.

Bechtsoudis A, Sklavos N (2012) Aiming at higher network security through extensive penetration tests. IEEE Lat Am Trans 10(3): 1752–1756.

Sarraute C, Richarte G, Lucángeli Obes J (2011) An algorithm to find optimal attack paths in nondeterministic scenarios In: Proceedings of the 4th ACM Workshop on Security and Artificial Intelligence. AISec ’11, 71–80.. ACM, New York.

Shen L, Liang X, Bo Y, Xia C (2011) Automatic generation for penetration testing scheme analysis model for network In: ICCIS ’11 Proceedings of the 2011 International Conference on Computational and Information Sciences, 821–826.. IEEE.

Bou-Harb E, Debbabi M, Assi C (2014) Cyber scanning: a comprehensive survey. IEEE Commun Surv Tutorials 16(3): 1496–1519.

Kasinathan P, Pastrone C, Spirito MA, Vinkovits M (2013) Denial-of-service detection in 6LoWPAN based Internet of Things In: IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), 600–607.. IEEE.

Xing B, Gao L, Zhang J, Sun D (2010) Design and implementation of an XML-based penetration testing system In: International Symposium on Intelligence Information Processing and Trusted Computing (IPTC), 224–229.. IEEE.

McLaughlin S, Podkuiko D, Miadzvezhanka S, Delozier A, McDaniel P (2010) Multi-vendor penetration testing in the advanced metering infrastructure In: Proceedings of the 26th Annual Computer Security Applications Conference. ACSAC ’10, 107–116.. ACM, New York,.

Traore MD, Jin H, Zou D, Qiang W, Xiang G (2011) Rapn: Network attack prediction using ranking access petri net In: Sixth Annual Chinagrid Conference (ChinaGrid), 108–115.. IEEE.

Jajodia S, Noel S, O’Berry B (2005) Topological analysis of network attack vulnerability In: Managing cyber threats: issues, approaches, and challenges, 247–266.. Springer, Boston.

Blackwell C (2014) Towards a penetration testing framework using attack patterns In: Cyberpatterns: unifying design patterns with security and attack patterns, 135–148.. Springer, Cham, doi: 10.1007/978-3-319-04447-7_11 .

Vegendla A, Søgaard TM, Sindre G (2016) Extending HARM to make test cases for penetration testing(Krogstie J, Mouratidis H, Su J, eds.). Springer, Cham.

Masood R, Um-e-Ghazia, Anwar Z (2011) SWAM: Stuxnet worm analysis in metasploit In: 2011 Frontiers of Information Technology, FIT 2011, Pakistan, December 19-21, 2011, 142–147.. IEEE, Islamabad.

Holm H, Sommestad T, Almroth J, Persson M (2011) A quantitative evaluation of vulnerability scanning. Inf Manag Compute Secur 19(4): 231–247.

Holik F, Horalek J, Marik O, Neradova S, Zitta S (2014) Effective penetration testing with metasploit framework and methodologies In: IEEE 15th International Symposium on Computational Intelligence and Informatics (CINTI), 237–242.. IEEE.

Tondel IA, Jaatun MG, Jensen J (2008) Learning from software security testing In: IEEE International Conference on Software Testing Verification and Validation Workshop, 2008. ICSTW ’08, 286–294.. IEEE.

Sandouka H, Cullen AJ, Mann I (2009) Social engineering detection using neural networks In: Proceedings of the 2009 International Conference on CyberWorlds. CW ’09, 273–278.. IEEE Computer Society, Washington.

Ridgewell WW, Kumar V, Kinshuk (2013) Immersive and authentic learning environments to mitigate security vulnerabilities in networked game devices In: Proceedings of the 2013 International Conference on Signal-Image Technology & Internet-Based Systems. SITIS ’13, 1042–1048.. IEEE Computer Society, Washington.

Somorovsky J, Mayer A, Schwenk J, Kampmann M, Jensen M (2012) On breaking SAML: be whoever you want to be In: Proceedings of the 21st USENIX Conference on Security Symposium. Security’12, 21–21.. USENIX Association, Berkeley.

Dimkov T, van Cleeff A, Pieters W, Hartel P (2010) Two methodologies for physical penetration testing using social engineering In: Proceedings of the 26th Annual Computer Security Applications Conference. ACSAC ’10, 399–408.. ACM, New York, doi: 10.1145/1920261.1920319 .

Stepien B, Peyton L, Xiong P (2012) Using TTCN-3 as a modeling language for web penetration testing In: IEEE International Conference on Industrial Technology (ICIT), 674–681.. IEEE, doi: 10.1109/ICIT.2012.6210016 .

Caselli M, Kargl F (2016) A security assessment methodology for critical infrastructures(Panayiotou CG, Ellinas G, Kyriakides E, Polycarpou MM, eds.). Springer, Cham.

Line MB, Jaatun MG, Cheah ZB, Faruk ABMO, Garnes HH, Wedum P (2008) Penetration testing of OPC as part of process control systems In: Ubiquitous Intelligence and Computing: 5th International Conference, UIC 2008, Oslo, Norway, June 23-25, 2008 Proceedings, 271–283.. Springer, Berlin.

Dahl OM, Wolthusen SD (2006) Modeling and execution of complex attack scenarios using interval timed colored petri nets In: Proceedings of the Fourth IEEE International Workshop on Information Assurance. IWIA ’06, 157–168.. IEEE Computer Society, Washington.

Khoury N, Zavarsky P, Lindskog D, Ruhl R (2011) Testing and assessing web vulnerability scanners for persistent SQL injection attacks In: Proceedings of the First International Workshop on Security and Privacy Preserving in e-Societies. SeceS ’11, 12–18.. ACM, New York.

Williams GP (2012) Cost effective assessment of the infrastructure security posture In: 7th IET International Conference on System Safety, incorporating the Cyber Security Conference, 1–6.. IET.

Hertzog P (2010) OSSTMM—Open Source Security Testing Methodology Manual. Institute for Security and Open Methodologies (ISECOM), Barcelona. http://www.isecom.org/osstmm .

ISSAF (2006) Information Systems Security Assessment Framework Open Information Systems Security Group. OISSG.

PTES (2012) Penetration testing execution standard. http://www.pentest-standard.org .

Stouffer K, Falco J, Scarfone K (2008) NIST SP 800-115: technical guide to information security testing and assessment. National Institute of Standards and Technology, Maryland.

Meucci M, Muller A (2014) OWASP testing guide V.4. 4th edn. OWASP Foundation, USA.

(2005) An annotated review of past papers on attack graphs, ESC-TR-2005-054. Massachusetts Institute of Technology - Lincoln Laboratory.

Avgerinos T, Cha SK, Rebert A, Schwartz EJ, Woo M, Brumley D (2014) Automatic exploit generation. Commun ACM 57(2): 74–84.

Hossen K, Groz R, Oriat C, Richier JL (2013) Automatic generation of test drivers for model inference of web applications In: Softw Testing Verification Validation Workshop IEEE Int Conf, 441–444, doi: 10.1109/ICSTW.2013.57 .

Felderer M, Schieferdecker I (2014) A taxonomy of risk-based testing. Int J Softw Tools Technol Transfer 16(5): 559–568.

Botella J, Legeard B, Peureux F, Vernotte A (2014) Risk-based vulnerability testing using security test patterns(Margaria T, Steffen B, eds.). Springer, Berlin.

Doupé A, Cavedon L, Kruegel C, Vigna G (2012) Enemy of the state: a state-aware black-box web vulnerability scanner In: Proceedings of the 21st USENIX Conference on Security Symposium. Security’12, 26–26.. USENIX Association, Berkeley.

Bouquet F, Peureux F, Ambert F (2014) Model-based testing for functional and security test generation(Aldini A, Lopez J, Martinelli F, eds.). Springer, Cham.

Duchene F, Rawat S, Richier JL, Groz R (2014) Kameleonfuzz: evolutionary fuzzing for black-box XSS detection In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy. CODASPY ’14, 37–48.. ACM, New York,.

Godefroid P, Levin MY, Molnar D (2012) Sage: whitebox fuzzing for security testing. Queue 10(1): 20–202027.

McAllister S, Kirda E, Kruegel C (2008) Leveraging user interactions for in-depth testing of web applications(Lippmann R, Kirda E, Trachtenberg A, eds.). Springer, Berlin.

Kals S, Kirda E, Kruegel C, Jovanovic N (2006) Secubat: a web vulnerability scanner In: Proceedings of the 15th International Conference on World Wide Web. WWW ’06, 247–256.. ACM, New York,.

Huang YW, Huang SK, Lin TP, Tsai CH (2003) Web application security assessment by fault injection and behavior monitoring In: Proceedings of the 12th International Conference on World Wide Web. WWW ’03, 148–159.. ACM, New York.

Sekar R (2009) An efficient black-box technique for defeating web application attacks In: Network and Distributed System Security Symposium (NDSS).. The Internet Society, Geneva.

Milenkoski A, Payne BD, Antunes N, Vieira M, Kounev S, Avritzer A, Luft M (2015) Evaluation of intrusion detection systems in virtualized environments using attack injection(Bos H, Monrose F, Blanc G, eds.). Springer, Cham.

Bertoglio DD, Zorzo AF (2016) Tramonto: Uma estratégia de recomendações para testes de penetração In: XVI Simpósio Brasileiro de 1315 Segurançã da Informação e Sistemas Computacionais (SBSeg 2016).. SBC, Porto Alegre.

Download references

Acknowledgements

The authors thank the support from Hewlett Packard Enterprise. We also thank the anonymous reviewers for their comments and suggestions.

Authors’ contributions

DDB performed all activities of the proposed SMS and the study analysis. AFZ executed the planning, selection, and revision activities of the SMS. Both authors drafted, read, and approved the final manuscript.

Competing interests

The authors declare that they have no competing interests.

Author information

Authors and affiliations.

Pontifical Catholic University of RS (PUCRS), Porto Alegre, Brazil

Daniel Dalalana Bertoglio & Avelino Francisco Zorzo

You can also search for this author in PubMed   Google Scholar

Corresponding author

Correspondence to Daniel Dalalana Bertoglio .

Rights and permissions

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License ( http://creativecommons.org/licenses/by/4.0/ ), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Reprints and permissions

About this article

Cite this article.

Dalalana Bertoglio, D., Zorzo, A. Overview and open issues on penetration test. J Braz Comput Soc 23 , 2 (2017). https://doi.org/10.1186/s13173-017-0051-1

Download citation

Received : 20 June 2016

Accepted : 25 January 2017

Published : 06 February 2017

DOI : https://doi.org/10.1186/s13173-017-0051-1

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Security testing

Grab your spot at the free arXiv Accessibility Forum

Help | Advanced Search

Computer Science > Cryptography and Security

Title: autonomous penetration testing using reinforcement learning.

Abstract: Penetration testing (pentesting) involves performing a controlled attack on a computer system in order to assess it's security. Although an effective method for testing security, pentesting requires highly skilled practitioners and currently there is a growing shortage of skilled cyber security professionals. One avenue for alleviating this problem is automate the pentesting process using artificial intelligence techniques. Current approaches to automated pentesting have relied on model-based planning, however the cyber security landscape is rapidly changing making maintaining up-to-date models of exploits a challenge. This project investigated the application of model-free Reinforcement Learning (RL) to automated pentesting. Model-free RL has the key advantage over model-based planning of not requiring a model of the environment, instead learning the best policy through interaction with the environment. We first designed and built a fast, low compute simulator for training and testing autonomous pentesting agents. We did this by framing pentesting as a Markov Decision Process with the known configuration of the network as states, the available scans and exploits as actions, the reward determined by the value of machines on the network. We then used this simulator to investigate the application of model-free RL to pentesting. We tested the standard Q-learning algorithm using both tabular and neural network based implementations. We found that within the simulated environment both tabular and neural network implementations were able to find optimal attack paths for a range of different network topologies and sizes without having a model of action behaviour. However, the implemented algorithms were only practical for smaller networks and numbers of actions. Further work is needed in developing scalable RL algorithms and testing these algorithms in larger and higher fidelity environments.

Submission history

Access paper:.

• Other Formats

References & Citations

• Google Scholar
• Semantic Scholar

DBLP - CS Bibliography

Bibtex formatted citation.

Bibliographic and Citation Tools

Code, data and media associated with this article, recommenders and search tools.

• Institution

arXivLabs: experimental projects with community collaborators

arXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.

Both individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.

Have an idea for a project that will add value for arXiv's community? Learn more about arXivLabs .

• DOI: 10.4225/75/57B69C4ED938D
• Corpus ID: 53398167

Selection of penetration testing methodologies: A comparison and evaluation

• Aleatha Shanley , Michael N. Johnstone
• Published 2015
• Computer Science

Figures and Tables from this paper

22 Citations

A review of penetration testing frameworks, tools, and application areas, practical approach for securing windows environment: attack vectors and countermeasures, security quality assurance through penetration testing, penetration testing berbasis owasp testing guide versi 4.2 (studi kasus: x website).

• Highly Influenced

An Empirical Comparison of Pen-Testing Tools for Detecting Web App Vulnerabilities

Performing the comparative analysis of ddos attack in simulated environment, uncovering the risk of academic information system vulnerability through ptes and owasp method, vulnerability assessment of angolan university web applications, a comprehensive literature review of penetration testing & its applications, the vacuity of the open source security testing methodology manual, 19 references, why penetration testing is a limited use choice for sound cyber security practice, a guide to penetration testing, effective penetration testing with metasploit framework and methodologies, security requirements engineering-the reluctant oxymoron, using penetration testing to enhance your company's security, penetration testing: perspectives on penetration testing - finding the right supplier, information systems development: methodologies, techniques and tools (3rd edition), readability and the web, the principles of readability..

• Highly Influential

The Technique of Clear Writing.

Related papers.

Showing 1 through 3 of 0 Related Papers

Information

• Author Services

Initiatives

You are accessing a machine-readable page. In order to be human-readable, please install an RSS reader.

All articles published by MDPI are made immediately available worldwide under an open access license. No special permission is required to reuse all or part of the article published by MDPI, including figures and tables. For articles published under an open access Creative Common CC BY license, any part of the article may be reused without permission provided that the original article is clearly cited. For more information, please refer to https://www.mdpi.com/openaccess .

Feature papers represent the most advanced research with significant potential for high impact in the field. A Feature Paper should be a substantial original Article that involves several techniques or approaches, provides an outlook for future research directions and describes possible research applications.

Feature papers are submitted upon individual invitation or recommendation by the scientific editors and must receive positive feedback from the reviewers.

Editor’s Choice articles are based on recommendations by the scientific editors of MDPI journals from around the world. Editors select a small number of articles recently published in the journal that they believe will be particularly interesting to readers, or important in the respective research area. The aim is to provide a snapshot of some of the most exciting work published in the various research areas of the journal.

Original Submission Date Received: .

• Active Journals
• Find a Journal
• Proceedings Series
• For Authors
• For Reviewers
• For Editors
• For Librarians
• For Publishers
• For Societies
• For Conference Organizers
• Open Access Policy
• Institutional Open Access Program
• Special Issues Guidelines
• Editorial Process
• Research and Publication Ethics
• Article Processing Charges
• Testimonials
• Preprints.org
• SciProfiles
• Encyclopedia

Article Menu

• Subscribe SciFeed
• Recommended Articles
• Google Scholar
• on Google Scholar
• Table of Contents

Find support for a specific problem in the support section of our website.

Please let us know what you think of our products and services.

Visit our dedicated information section to learn more about MDPI.

JSmol Viewer

A survey on web application penetration testing.

1. Introduction

• Highlight the most common vulnerabilities and threats targeting web applications.
• Review and analyze the literature on web penetration testing and its associated methods.
• Describe the recent mitigation techniques to defend against web application threats.
• Review the available tools for conducting web penetration tests and make comparisons between them.
• Provide recommendations for individuals and businesses on how to decide which tool is the best for performing web penetration tests.

Penetration Testing

2. methodology, 3. literature review, 4. web app vulnerabilities, 4.1. the evolution of web app vulnerabilities, 4.2. top 10 security threats for the web environment, 4.2.1. broken access control, 4.2.2. cryptographic failure, 4.2.3. injection, 4.2.4. insecure design, 4.2.5. security misconfiguration, 4.2.6. vulnerable and outdated components, 4.2.7. identification and authentication failures, 4.2.8. software and data integrity failures, 4.2.9. security logging and monitoring failures, 4.2.10. server-side request forgery (ssrf), 4.3. web vulnerabilities mitigation techniques, 4.3.1. protection against sql injection attacks, 4.3.2. protection against broken authentication and session hijacking attacks, 4.3.3. protection against xss attacks, 4.3.4. protection against insecure direct object references and missing function-level access control, 4.3.5. protection against sensitive data exposure, 4.3.6. protection against csrf attacks, 4.3.7. protection against unvalidated redirects and forwards, 5. web penetration test, 5.1. web penetration testing tools, 5.2. overview of penetration testing tools, 5.2.1. netsparker, 5.2.2. acunetix, 5.2.3. vega, 5.2.4. owasp zap, 5.2.5. wapiti, 5.2.6. ironwasp, 5.2.7. w3af, 6. discussion and future research, 7. conclusions, 8. managerial implications, 9. practical/social implications, author contributions, acknowledgments, conflicts of interest.

• Mirjalili, M.; Nowroozi, A.; Alidoosti, M. A survey on a web penetration test. Adv. Comput. Sci. Int. J. 2014 , 3 , 117–121. [ Google Scholar ]
• Kam, H.J.; Pauli, J.J. Work in progress—web penetration testing: Effectiveness of student learning in Web application security. In Proceedings of the 2011 Frontiers in Education Conference (FIE), Rapid City, SD, USA, 12–15 October 2011; p. F3G-1. [ Google Scholar ]
• Mukhopadhyay, I.; Goswami, S.; Mandal, E. Web penetration testing using nessus and metasploit tool. IOSR J. Comput. Eng. 2014 , 16 , 126–129. [ Google Scholar ] [ CrossRef ]
• Baykara, M. Investigation and comparison of web application vulnerabilities test tools. Int. J. Comput. Sci. Mob. Comput. (IJCSMC) 2018 , 7 , 197–212. [ Google Scholar ]
• Wibowo, R.M.; Sulaksono, A. Web vulnerability through cross site scripting (XSS) detection with OWASP security shepherd. Indones. J. Inf. Syst. 2021 , 3 , 149–159. [ Google Scholar ] [ CrossRef ]
• Abu-Dabaseh, F.; Alshammari, E. Automated penetration testing: An overview. In Proceedings of the 4th International Conference on Natural Language Computing, Copenhagen, Denmark, 28–29April 2018; pp. 121–129. [ Google Scholar ]
• Fredj, O.B.; Cheikhrouhou, O.; Krichen, M.; Hamam, H.; Derhab, A. An OWASP top ten driven survey on web application protection methods. In Risks and Security of Internet and Systems, Proceedings of the 15th International Conference, CRiSIS 2020, Paris, France, 4–6 November 2020 ; Springer: Cham, Switzerland, 2021; pp. 235–252. [ Google Scholar ]
• Wardana, W.; Almaarif, A.; Widjajarto, A. Vulnerability assessment and penetration testing on the xyz website using NIST 800-115 standard. J. Ilm. Indones. 2022 , 7 , 520–529. [ Google Scholar ] [ CrossRef ]
• Nagendran, K.; Adithyan, A.; Chethana, R.; Camillus, P.; Varshini, K.B.S. Web application penetration testing. IJITEE 2019 , 8 , 1029–1035. [ Google Scholar ] [ CrossRef ]
• Auricchio, N.; Cappuccio, A.; Caturano, F.; Perrone, G.; Romano, S.P. An automated approach to web offensive security. Comput. Commun. 2022 , 195 , 248–261. [ Google Scholar ] [ CrossRef ]
• Alanda, A.; Satria, D.; Ardhana, M.; Dahlan, A.A.; Mooduto, H.A. Web application penetration testing using SQL Injection attack. JOIV Int. J. Inform. Vis. 2021 , 5 , 320–326. [ Google Scholar ] [ CrossRef ]
• Alhassan, J.K.; Misra, S.; Umar, A.; Maskeliūnas, R.; Damaševičius, R.; Adewumi, A. A fuzzy classifier-based penetration testing for web applications. In Advances in Intelligent Systems and Computing, Proceedings of the International Conference on Information Technology & Systems (ICITS 2018), Libertad City, Ecuador, 10–12 January 2018 ; Springer: Cham, Switzerland, 2018; pp. 95–104. [ Google Scholar ]
• Hasan, A.; Meva, D. Web application safety by penetration testing. Int. J. Adv. Stud. Sci. Res. 2018 , 3 , 159–163. [ Google Scholar ]
• Albahar, M.; Alansari, D.; Jurcut, A. An empirical comparison of pen-testing tools for detecting web app vulnerabilities. Electronics 2022 , 11 , 2991. [ Google Scholar ] [ CrossRef ]
• Ablahd, A.Z. Using python to detect web application vulnerability. resmilitaris 2023 , 13 , 1045–1058. [ Google Scholar ]
• Pareek, K. A study of web application penetration testing. IJITE 2019 , 7 , 1776–2321. [ Google Scholar ]
• Sołtysik-Piorunkiewicz, A.; Krysiak, M. The cyber threats analysis for web applications security in industry 4.0. In Recent Advances in Computational Optimization ; Springer Science and Business Media LLC: Cham, Switzerland, 2020; pp. 127–141. [ Google Scholar ]
• Alenezi, M.; Agrawal, A.; Kumar, R.; Khan, R.A. Evaluating Performance of web application security through a fuzzy based hybrid multi-criteria decision-making approach: Design tactics perspective. IEEE Access 2020 , 8 , 25543–25556. [ Google Scholar ] [ CrossRef ]
• Qi, L.; Meng, S.; Zhang, X.; Wang, R.; Xu, X.; Zhou, Z.; Dou, W. An exception handling approach for privacy—Preserving service recommendation failure in a cloud environment. Sensors 2018 , 18 , 2037. [ Google Scholar ] [ CrossRef ] [ Green Version ]
• Gupta, R. An innovative security strategy using reactive web application honeypot. arXiv 2020 , arXiv:2115.04773. [ Google Scholar ] [ CrossRef ]
• Priyawati, D.; Rokhmah, S.; Utomo, I.C. Website vulnerability testing and analysis of website application using OWASP. Int. J. Comput. Inf. Syst. (IJCIS) 2022 , 3 , 142–147. [ Google Scholar ] [ CrossRef ]
• Willberg, M. Web Application Security Testing with Owasp Top 10 Frameworks. Bachelor’s Thesis, Turku University of Applied Sciences, Turku, Finland, 2019. [ Google Scholar ]
• Lauinger, T.; Chaabane, A.; Arshad, S.; Robertson, W.; Wilson, C.; Kirda, E. Thou shalt not depend on me: Analysing the use of outdated javascript libraries on the web. arXiv 2017 , arXiv:1811.00918. [ Google Scholar ] [ CrossRef ] [ Green Version ]
• Shahriar, H.; Zulkernine, M. Information-theoretic detection of SQL injection attacks. In Proceedings of the 2012 IEEE 14th International Symposium on High-Assurance Systems Engineering, Omaha, NE, USA, 25–27 October 2012; pp. 40–47. [ Google Scholar ]
• Mnif, A.; Cheikhrouhou, O.; Ben Jemaa, M. An ID-based user authentication scheme for wireless sensor networks using ECC. In Proceedings of the ICM 2011 Proceeding, Hammamet, Tunisia, 19–22 December 2011; pp. 1–9. [ Google Scholar ] [ CrossRef ]
• Moosa, A. Artificial neural network-based web application firewall for SQL injection. Int. J. Comput. Inf. Eng. 2011 , 4 , 611–6120. [ Google Scholar ]
• Mamadhan, S.; Manesh, T.; Paul, V. SQLStor: Blockage of stored procedure SQL injection attack using dynamic query structure validation. In Proceedings of the 2012 12th International Conference on Intelligent Systems Design and Applications (ISDA), Kochi, India, 27–29 November 2012; pp. 240–245. [ Google Scholar ] [ CrossRef ]
• Halfond, W.; Orso, A.; Manolios, P. WASP: Protecting web applications using positive tainting and syntax-aware evaluation. IEEE Trans. Softw. Eng. 2008 , 34 , 65–81. [ Google Scholar ] [ CrossRef ]
• De Ryck, P.; Desmet, L.; Piessens, F.; Johns, M. Primer on Client-Side Web Security ; Springer: Cham, Switzerland, 2014. [ Google Scholar ] [ CrossRef ]
• Nikiforakis, N.; Kapravelos, A.; Joosen, W.; Kruegel, C.; Piessens, F.; Vigna, G. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, Berkeley, CA, USA, 19–22 May 2013; pp. 541–555. [ Google Scholar ] [ CrossRef ] [ Green Version ]
• Adida, B. Sessionlock: Securing web sessions against eavesdropping. In Proceedings of the 17th International Conference on World Wide Web, Beijing China, 21–25 April 2008; pp. 517–524. [ Google Scholar ]
• Dacosta, I.; Chakradeo, S.; Ahamad, M.; Traynor, P. One-time cookies: Preventing session hijacking attacks with stateless authentication tokens. ACM Trans. Internet Technol. (TOIT) 2012 , 12 , 1–24. [ Google Scholar ] [ CrossRef ]
• Johns, M.; Braun, B.; Schrank, M.; Posegga, J. Reliable protection against session fixation attacks. In Proceedings of the SAC 2012 ACM Symposium on Applied Computing, Trento, Italy, 26–30 March 2012; pp. 1531–1537. [ Google Scholar ]
• Kallin, J.; Valbuena, I.L. Excess XSS: A Comprehensive Tutorial on Cross-Site Scripting. 2016. Available online: https://excess-xss.com (accessed on 1 February 2023).
• Wurzinger, P.; Platzer, C.; Ludl, C.; Kirda, E.; Kruegel, C. SWAP: Mitigating XSS attacks using a reverse proxy. In Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems, Vancouver, BC, Canada, 19 May 2009; pp. 33–311. [ Google Scholar ]
• Shahriar, H.; North, S.; Chen, W.C.; Mawangi, E. Design and development of Anti-XSS proxy. In Proceedings of the 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013), London, UK, 9–12 December 2013; pp. 4114–41111. [ Google Scholar ]
• Ferraiolo, D.; Cugini, J.; Kuhn, D.R. Role-based access control (RBAC): Features and motivations. In Proceedings of the 11th Annual Computer Security Application Conference, New Orleans, LA, USA, 11–15 December 1995; pp. 241–248. [ Google Scholar ]
• Park, J.S.; Sandhu, R.; Ghanta, S. RBAC on the Web by Secure Cookies. In Research Advances in Database and Information Systems Security ; Springer: Boston, MA, USA; pp. 411–462.
• Ardagna, C.A.; Vimercati, S.D.C.D.; Paraboschi, S.; Pedrini, E.; Samarati, P.; Verdicchio, M. Expressive and deployable access control in open web service applications. IEEE Trans. Serv. Comput. 2010 , 4 , 96–109. [ Google Scholar ] [ CrossRef ]
• Doshi, J.; Bhushan, T. Sensitive data exposure prevention using dynamic database security policy. Int. J. Comput. Appl. 2014 , 106 , 18600–19869. [ Google Scholar ]
• Kiernan, J.; Agrawal, R.; Haas, P.J. Watermarking relational data: Framework, algorithms and analysis. VLDB J. 2003 , 12 , 157–169. [ Google Scholar ] [ CrossRef ]
• Pasha Deshmukh, A.; Qureshi, R. Transparent data encryption--Solution for security of database contents. arXiv 2013 , arXiv:1303. [ Google Scholar ]
• Jovanovic, N.; Kirda, E.; Kruegel, C. Preventing cross site request forgery attacks. In Proceedings of the 2006 Securecomm and Workshops, Baltimore, MD, USA, 28 August 2006–1 September 2006; pp. 1–10. [ Google Scholar ] [ CrossRef ]
• Scott, D.; Sharp, R. Specifying and enforcing application-level web security policies. IEEE Trans. Knowl. Data Eng. 2003 , 15 , 771–783. [ Google Scholar ] [ CrossRef ] [ Green Version ]
• Google. Overview. Safe Browsing Apis (V4). Available online: https://developers.google.com/safe-browsing/v4/ (accessed on 20 December 2022).
• Cao, Y.; Han, W.; Le, Y. Anti-phishing based on automated individual white-list. In Proceedings of the 4th ACM Workshop on Digital Identity Management, Alexandria, VA, USA, 31 October 2008; pp. 51–60. [ Google Scholar ]
• Joshi, C.; Singh, U.K. Performance evaluation of web application security scanners for more effective defense. Int. J. Sci. Res. Publ. (IJSRP) 2016 , 6 , 660–667. [ Google Scholar ]
• Elisa, N. Usability, accessibility and web security assessment of e-government websites in tanzania. Int. J. Comput. Appl. 2017 , 164 , 42–48. [ Google Scholar ] [ CrossRef ]
• Tundis, A.; Mazurczyk, W.; Mühlhäuser, M. A review of network vulnerabilities scanning tools: Types, capabilities, and functions. In Proceedings of the 13th international Conference On Availability, Reliability, and Security, Hamburg, Germany, 27–30 August 2018; pp. 1–10. [ Google Scholar ]
• Bennetts, S. Owasp Zed Attack Proxy ; AppSec USA: San Francisco, CA, USA, 2013. [ Google Scholar ]
• Alsaleh, M.; Alomar, N.; Alshreef, M.; Alarifi, A.; Al-Salman, A. Performance-Based comparative assessment of open source web vulnerability scanners. Secur. Commun. Netw. 2017 , 2017 , 1–14. [ Google Scholar ] [ CrossRef ] [ Green Version ]
• Amankwah, R.; Chen, J.; Kudjo, P.K.; Towey, D. An empirical comparison of commercial and open—Source web vulnerability scanners. Softw. Pr. Exp. 2020 , 50 , 1842–1857. [ Google Scholar ] [ CrossRef ]

Click here to enlarge figure

Share and Cite

Altulaihan, E.A.; Alismail, A.; Frikha, M. A Survey on Web Application Penetration Testing. Electronics 2023 , 12 , 1229. https://doi.org/10.3390/electronics12051229

Altulaihan EA, Alismail A, Frikha M. A Survey on Web Application Penetration Testing. Electronics . 2023; 12(5):1229. https://doi.org/10.3390/electronics12051229

Altulaihan, Esra Abdullatif, Abrar Alismail, and Mounir Frikha. 2023. "A Survey on Web Application Penetration Testing" Electronics 12, no. 5: 1229. https://doi.org/10.3390/electronics12051229

Article Metrics

Article access statistics, further information, mdpi initiatives, follow mdpi.

Subscribe to receive issue release notifications and newsletters from MDPI journals

penetration testing Recently Published Documents

Total documents.

• Latest Documents
• Most Cited Documents
• Contributed Authors
• Related Sources
• Related Keywords

Effects of Cone Penetrometer Testing on Shallow Hydrogeology at a Contaminated Site

Penetration testing is a popular and instantaneous technique for subsurface mapping, contaminant tracking, and the determination of soil characteristics. While the small footprint and reproducibility of cone penetrometer testing makes it an ideal method for in-situ subsurface investigations at contaminated sites, the effects to local shallow groundwater wells and measurable influence on monitoring networks common at contaminated sites is unknown. Physical and geochemical parameters associated with cone penetrometer testing were measured from a transect of shallow groundwater monitoring wells adjacent to penetrometer testing. For wells screened above the depth of cone refusal, the physical advancement and retraction of the cone had a significant effect (p < 0.01) on water level for several pushes within 10 meters of a monitoring well, and a measured increase in specific conductivity. No effect on geochemistry or water level was observed in continuous monitoring data from wells screened below the depth of cone refusal, but variability in specific conductivity from these wells during penetration testing was only a fraction of the natural variation measured during precipitation events. Continuous measurements of specific conductivity and water level demonstrated that the effects of penetration testing have limited spatial and temporal distributions with a null effect post-testing.

Analysis and Evaluation of Wireless Network Security with the Penetration Testing Execution Standard (PTES)

The use of computer networks in an agency aims to facilitate communication and data transfer between devices. The network that can be applied can be using wireless media or LAN cable. At SMP XYZ, most of the computers still use wireless networks. Based on the findings in the field, it was found that there was no user management problem. Therefore, an analysis and audit of the network security system is needed to ensure that the network security system at SMP XYZ is safe and running well. In conducting this analysis, a tool is needed which will be used as a benchmark to determine the security of the wireless network. The tools used are Penetration Testing Execution Standard (PTES) which is one of the tools to become a standard in analyzing or auditing network security systems in a company in this case, namely analyzing and auditing wireless network security systems. After conducting an analysis based on these tools, there are still many security holes in the XYZ wireless SMP that allow outsiders to illegally access and obtain vulnerabilities in terms of WPA2 cracking, DoS, wireless router password cracking, and access point isolation so that it can be said that network security at SMP XYZ is still not safe

PERBANDINGAN SISTEM AUTENTIKASI WPA2 EAP-PSK PADA JARINGAN WIRELESS DENGAN METODE PENETRATION TESTING MENGGUNAKAN FLUXION TOOLS

aringan Nirkabel merupakan sekumpulan perangkat elektronik yang menghubungkan satu dengan yang lain memanfaatkan perangkat udara alias frekuensi jadi alur lintas data. Masa sekarang ini, ada banyak pengguna yang memanfaatkan WPA2-PSK ataupun WPA2-EAP menjadi security system jaringan nirkabel yang bertujuan untuk menghindari orang yang mengakses tanpa izin.  Riset ini memakai teknik wireless penetration testing yang memakai fluxion tools dengan membandingkan dan menganalisis security system otentikasi WPA2 dengan EAP-PSK pada jaringan nirkabel yang bertujuan untuk mengetahui kerentanan sebuah sistem keamanan jaringan tersebut. Untuk melaksanakan penetration testing penulis mengacu terhadap “Wireless Network Penetration Testing Methodology.” Yang terdiri dari intelligence gathering, vulnerability analysis, threat modelling, password cracking, dan reporting. Dari penelitian ini akan menyimpulkan WPA2-PSK kurang aman untuk digunakan dikarenakan terlihat pada penetration testing tesrsebut WPA2-PSK berhasil dibobol dalam keadaan SSID unhide­, sedangkan WPA2-EAP berhasil dalam pembuatan Web Interface namun tidak berhasil dalam mendapatkan informasi seperti username dan passwor. Jika WPA2-PSK SSID dalam keadaan hide akan mengagalkan peretasan sehingga dari sistem keamanan kedua tersebut memiliki kelebihan dan kekurangan masing-masing tergantung kebutuhan pengguna.

Vulnerability Assessment and Penetration Testing On The Xyz Website Using Nist 800-115 Standard

Currently the website has become an effective communication tool. However, it is essential to have vulnerabilities assessment and penetration testing using specific standards on released websites to the public for securing information. The problems raised in this research are conducting vulnerability testing on the XYZ website to analyze security gaps in the XYZ website, as well as conducting penetration testing on high vulnerabilities found. Testing was conducted using the NIST 800 – 115 Standard through 4 main stages: planning, discovery, attack, and report. Several tools were used: Nmap, OWASP ZAP, Burp Suite, and Foxy Proxy. This research results are presented and analyzed. There were seven vulnerabilities found, one high-level vulnerability, two medium-level vulnerabilities, and four low-level vulnerabilities. At the high level, SQL Injection types are found, at the medium level, Cross-Domains Misconfiguration and vulnerabilities are found, at the low level, Absence of Anti-CSRF Tokens, Incomplete or No Cache-control and Pragma HTTP Header Set, Server Leaks Information via “X-Powered-By” HTTP Response Header Field and X-Content-Type-Options Header Missing are found.

Efficacy of Unconventional Penetration Testing Practices

Research on network security technology of industrial control system.

The relationship between industrial control system and Internet is becoming closer and closer, and its network security has attracted much attention. Penetration testing is an active network intrusion detection technology, which plays an indispensable role in protecting the security of the system. This paper mainly introduces the principle of penetration testing, summarizes the current cutting-edge penetration testing technology, and looks forward to its development.

Weak Password Scanning System for Penetration Testing

Mobile security and penetration testing.

This document offers data involving mobile security exploitation penetration testing. Compared to desktop computers the expansion of mobile devices is tremendous in this years. Mobile de- vices are integrated into daily activities of people’s life. Mobile Applications became a part of our daily lives in order that virtually each internet or desktop application may be executed from a smartphone i.e. social networking, online banking, gaming applications and many others. This document also includes about different types of Mobile security threats, Types of penetration testing, Phases of penetrating testing, Principles of testing and Security risk assessment model. Due to the expansion of mobile devices now a days, it opens vast scope for attackers to steal sensitive information or to perform other kinds of attacks on these devices . The main purpose is to know the vulnerability and technics that ac- customed to find vulnerabilities in mobile applications. In the paper we have studied differing kinds of security risks concerned in mobile devices and mobile applications and regarding varied defensive mechanism to stop these security risk in mobile devices.

Architecture and Model of Neural Network Based Service for Choice of the Penetration Testing Tools

During penetration testing of web applications, different tools are actively used to relieve the tester from repeating monotonous operations. The difficulty of the choice is in the fact that there are tools with similar functionality, and it is hard to define which tool is best to choose for a particular case. In this paper, a solution of the problem with making a choice by creating a Web service that will use a neural network on the server side is proposed. The neural network is trained on data obtained from experts in the field of penetration testing. A trained neural network will be able to select tools in accordance with specified requirements. Examples of the operation of a neural network trained on a small sample of data are shown. The effect of the number of neural network learning epochs on the results of work is shown. An example of input data is given, in which the neural network could not select the tool due to insufficient data for training. The advantages of the method shown are the simplicity of implementation (the number of lines of code is used as a metric) and the possibility of using opinions about tools from various experts. The disadvantages include the search for data for training, the need for experimental selection of the parameters of the neural network and the possibility of situations where the neural network will not be able to select tool that meets the specified requirements.

Testing Part 2: Penetration Testing/Dynamic Analysis/IAST/RASP

Export citation format, share document.

Web Application Safety by Penetration Testing

International Journal of Advanced Studies of Scientific Research, Volume 3, Issue 9, 2018

5 Pages Posted: 2 Feb 2019

Ashikali Hasan

Marwadi University

Divyakant Meva

Date Written: 2018

By taking advantage of vulnerability, Cyber criminals is easily able to steal confidential data of the ICT, results in heavy loss. Vulnerability Assessment and penetration testing is a special approach to eliminate various security threats from the web application. By focusing high risk vulnerability such as SQL Injection, Cross Site Scripting, Local File Inclusion and Remote File Inclusion, in this paper, we have surveyed literatures to study the general mechanics of VAPT process and gather tools which can be useful during VAPT process.

Keywords: Component, Vulnerability Assessment and Penetration Testing, Web Application Security Testing, SQL Injection, Cross Site Scripting, Local File Inclusion, Remote File Inclusion

Suggested Citation: Suggested Citation

Ashikali Hasan (Contact Author)

Marwadi university ( email ).

Gujarat India

Rajkot, Gujarat India

Do you have a job opening that you would like to promote on SSRN?

Paper statistics, related ejournals, information systems legislation & regulations ejournal.

Subscribe to this fee journal for more curated articles on this topic

Cybersecurity, Privacy, & Networks eJournal

Innovation law & policy ejournal.

What Is Penetration Testing? Definition & Best Practices

Published: Aug 13, 2024, 7:15am

Table of Contents

Penetration testing defined, benefits of penetration testing, how penetration testing works, phases of penetration testing, types of penetration testing, drawbacks of penetration testing, best practices of penetration testing, bottom line, frequently asked questions (faqs).

As large businesses continue to invest massive resources in cybersecurity, small to midsized businesses (SMBs) are increasingly the favored target for hackers according to the FBI’s Internet Crime Complaint Center . What would a cyberattack on your SMB look like?

The only way to find out—and prepare accordingly—is to have someone hack you. Thanks to a cybersecurity forensics technique called penetration testing, you can pay experts to simulate what would happen if your SMB were the target of a sophisticated hacking attempt.

Penetration testing—or pen testing—is a sanctioned simulation of cyberattacks organized by a business in order to identify vulnerabilities and potential exploits in their computer systems, networks, IT infrastructure and other assets.

Businesses can hire reputable third-party companies that employ professionals skilled in ethical hacking to carry out the test. Pen testers use many of the same tools and techniques as malicious hackers, and they help a business build security strategies based on the results of the test.

Pen tests usually include a vulnerability assessment to expose security weaknesses using manual or automated means. While vulnerability assessments can be implemented as independent exercises, pen tests rely on a vulnerability assessment in order to pinpoint holes in security that are then exploited using the pen test.

A vulnerability assessment is akin to someone identifying potential entry points to a house such as unlocked windows and doors. A penetration test would then use those unlocked entry points to break into the house and see how much damage can be done or what can be stolen without being caught.

The most obvious benefit of pen testing is uncovering weaknesses in security so a business can plan and budget for appropriate action to keep operations running and sensitive data safe. As your business changes and grows, you may unknowingly expose your systems to new vulnerabilities or new tactics devised by hackers. Regular pen testing provides your team with up-to-date insights into your security shortcomings, enabling you to update your strategies to prevent cyberattacks and/or mitigate damages if you are hacked.

There are other benefits to regular pen testing that might not be so obvious.

• Compliance with security and privacy standards: Depending on the amount of sensitive data your business stores, you may be required to meet certain privacy and security standards as well as some government-mandated regulations. If you process or store credit card information, for example, you are obligated to abide by the Payment Card Industry Data Security Standard (PCI DSS) or be met with monetary fines. Performing regular pen tests can inform you if your business currently meets these and other standards, preparing you for future audits and preventing surprise fees or penalties for noncompliance.
• Protecting your business’s reputation and customer data: While this benefit is the result of a well-rounded security strategy in general, pen testing can earn confidence from your client base and prevent a public relations fallout as a result of sensitive client or partner data falling into the wrong hands.
• Unbiased perspective on infrastructure: Hiring third-party experts comes with the added advantage of having fresh eyes evaluate the inner workings of your systems, which could lead to new and interesting ways to improve them.
• Reduced premiums for liability insurance: Some cyber insurance agencies reward businesses that pen test regularly with discounts on insurance premiums.

Penetration testing entails a series of steps such as establishing rules of engagement and an attack profile. It also involves seven different phases.

Rules of Engagement

At the outset of a pen test, rules of engagement (ROE) need to be established for the testers to outline the scope and goals of the test. ROE are also helpful to provide parameters if certain systems are to be labeled as off limits. ROE documents serve as statements of work and are legally binding contracts to be signed before testing begins.

Attack Profile

In order to simulate different styles of attacks under different circumstances, organizations will give testers varying degrees of information regarding the environment they will be testing. This provision or omission of information is referred to as the attack profile, which comes in three forms.

• White-box pen testing: Testers are given full knowledge of the environment. This test simulates an attack that might come from experienced insiders and can also be used as a follow-up to other types of pen testing.
• Gray-box pen testing: Testers are only provided with partial knowledge of the environment. This test simulates an attacker who might have some insider knowledge but still needs to do some reconnaissance to mount an effective attack.
• Black-box pen testing: Testers have no knowledge of the environment. This test is a good simulation of an external attack, and testers rely solely on reconnaissance to gain information for their attacks.

Pen testing is both cooperative and adversarial, requiring testers to work alongside as well as against the business they are hired by. The business will usually include members of their cybersecurity team in the test—if they have any—to act as the “defense” in order to respond to the threats created by the testers. Everyone involved is separated into teams that are usually denoted by color rather than “attacker” and “defender” to maintain the spirit of collaboration.

• Red team: This team is attacking and behaves according to the attack profile and the goals and parameters set in the ROE.
• Blue team: This team is the defense, with the objective of protecting the environment and preventing the red team from reaching its goals.
• White team: This team acts as referees—answering questions, making sure everyone is acting within the parameters set in the ROE and halting the exercise completely if necessary.
• Purple team: More of a methodology than an actual team, a purple team forms when the red and blue teams come together to discuss the progress of the pen test. The purple team helps the test feel less contentious and can also provide the blue team with education on defense techniques.

A commonly used standard for pen testing is known as the Penetration Testing Execution Standard (PTES), which is divided into seven phases. Some of the phases form a loop that continues until the exercise is complete.

Phase 1: Pre-Engagement

In pre-engagement, the client collaborates with the pen tester to define the ROE and customize the test to best meet their needs. This phase ends when contracts are signed and the testers have a statement of work.

Phase 2: Intelligence Gathering

In this phase, testers gather and/or are provided intelligence about the target depending on the type of tests being run. For gray- and white-box tests, this phase includes reviewing information provided about the environment. In black- and gray-box tests, testers must use passive and active reconnaissance techniques to gather as much intel as possible.

Phase 3: Threat Modeling

Once intelligence is gathered and reviewed, testers use their acquired knowledge to pick their target. Before moving forward, testers need to consider:

• The value of the potential target
• The difficulty of attacking the target
• How to best simulate the capabilities of the potential hacker

Phase 4: Vulnerability Assessment

The red team now searches for vulnerabilities in the target(s) chosen in phase three using the intel gathered from phase two.

Phase 5: Exploitation

The red team uses various hacking tools and techniques—sometimes developing entirely new maneuvers—in an attempt to exploit the vulnerabilities discovered in phase four.

Phase 6: Post-Exploitation

If exploitation is achieved, testers attempt a number of activities in order to achieve goals the client set in the ROE.

• Obtaining persistence: Maintaining access despite the initial attack vector closing
• Cleanup: Attempting to remove all traces of the exploit occurring
• Pivoting: Also known as a “lateral movement,” the red team uses the access gained in phase five to try to repeat phases two to six (for example, compromising an employee’s computer and using the credentials within to pivot to a web server they didn’t originally have access to)
• Privilege escalation: Further exploiting certain vulnerabilities in an attempt to increase access privileges in the environment

Phase 7: Reporting

Pen testers diligently log everything they do throughout the exercise to eventually create a report that is delivered to the client. The report would contain every vulnerability, the tools used, recommendations and information regarding failed goals—essentially any information that could prove useful to the client to help improve their security.

Depending on the goals set by the client, pen testers can implement different types of penetration tests to expose and exploit vulnerabilities in various aspects of the client’s systems.

• Web application pen testing: Used primarily to identify vulnerabilities in web services, web apps and websites, this method of pen testing is important because web apps and services are constantly changing and updating. Exposed components, such as firewalls, DNS servers and routers, are also tested.
• Wireless pen testing: Wireless technology is pretty much everywhere, making this a valuable and common testing method. Wireless pen tests attempt to expose security gaps in wireless access points and seek out vulnerabilities such as Bluetooth exploits, authentication attacks, weak encryption and malicious wireless devices.
• Social engineering pen testing: Testers will attempt to trick employees into compromising their organization’s security using tactics such as phishing or baiting and other scams. This test can expose how susceptible employees are to these attacks and drive companies to better educate their teams on best security practices such as not opening mysterious emails or clicking dodgy-looking links.
• Network infrastructure pen testing: Network pen testing focuses on internal or external network infrastructure. Internal network pen tests can attempt to evade next-generation intrusion prevention systems (NGIPS). External network pen tests attempt to bypass parameter protection such as a next-generation firewall (NGFW). Other network attacks include intercepting network traffic, exploiting network services and testing routers.

While no doubt advantageous, pen testing does come with some downsides.

Regular Pen Testing Can Be Expensive

Large businesses have the pockets to invest in pen testing as necessary, but SMBs might shy away from it because of cost. On the low end, businesses can expect to spend around $5,000 on a pen test, according to cybersecurity provider Packetlabs . On the higher end, businesses can spend up to and above $100,000 on frequent and thorough pen testing.

SMBs with smaller budgets should consider investing in pen testing when the cost of potential data breach losses exceeds IT infrastructure maintenance figures.

Results of Pen Tests Are Proportional to Their Scope

Businesses that are able to invest larger amounts of money in pen testing can afford tests that are more comprehensive in scope, which may be necessary depending on the size and complexity of the business. However, for SMBs, it’s often unclear what constitutes overspending or underspending on pen tests. You don’t want to waste resources, but you also don’t want to underspend and create a false sense of security from a test that was too small in its breadth.

Pen Testing Requires Third Parties To Handle Sensitive Data

On one hand, having a third party expose and exploit your security weaknesses makes sense because they are not seeing your business’s systems through familiar and biased eyes. On the other hand, there is a large amount of trust involved in allowing a third party to learn the inner workings of your cybersecurity protocols. Be sure to thoroughly vet potential pen testing organizations to ensure they are reputable and have a history of successful services.

Pen testing can seem like a complicated and intimidating process to begin, but by following a few best practices, you can simplify each step and ensure you get the most out of your test.

1. Establish Scope, Goals and Budget

The easiest way to begin your pen test journey is to establish your objectives for the pen test as well as how much you can afford to invest. In this step, you will inevitably decide the scope of the test, as it is directly related to how much money you’re willing to spend.

2. Find Your Experts and Choose a Methodology

Now that you know your budget and goals, you can decide which organization will be implementing the pen test. Always go with reputable companies with a history of successful work. You can then share your goals with your pen tester to help establish what kinds of methods will be used in the test.

3. Prepare for the Test

Before beginning testing, be sure to restore the testing environment as close to its original state as possible. Identify and prepare teams that will be reviewing the test report and grant authorizations where appropriate.

4. Establish Monitoring Solutions

In order to get the best results and not waste your investment, you will need to have monitoring solutions in place before the pen test begins. Use logging to provide insights on how the test is affecting your system. Establish risk management processes that look for potential breaches of contract and cover for tests that go wrong.

5. Prioritize Your Results

Once your test is complete, work with your security leaders and pen testers to create a priority list for vulnerabilities that were discovered. Some vulnerabilities will require immediate action. Important questions to ask in this stage are:

• How will fixing this vulnerability affect operations?
• What happens if we don’t fix it?
• If we don’t fix it, can we mitigate damages if an exploit occurs?

6. Review and Remediate

With your vulnerabilities prioritized, now is the time to take action. Assign a dedicated task force to manage vulnerabilities and work with your security team to identify the root cause of them. Once your vulnerabilities have been fixed, re-evaluate your security measures to ensure any and all vulnerabilities have been dealt with.

While not every business will have the budget for it, pen testing is a vital standard in proving the defense capabilities of a given system. Pen tests provide businesses with valuable intelligence on how to increase security measures while maintaining compliance.

How much of my system can pen testers access?

Pen testers will behave according to the ROE set by the client and will be contractually obligated not to operate outside of these parameters. As such, they can only access what the client has allowed them to.

What is the difference between security testing and penetration testing?

Security testing is a broad assessment of the effectiveness of an organization’s security protocols and controls—ensuring risk mitigation, compliance and adherence to best practices. Penetration testing identifies vulnerabilities in a given system through simulated attacks and actively attempts to exploit them.

Who performs penetration testing?

Penetration tests can be conducted by either in-house cybersecurity teams or third-party organizations that specialize in ethical hacking.

• Best VPN Services
• Best Project Management Software
• Best Web Hosting Services
• Best Antivirus Software
• Best LLC Services
• Best POS Systems
• Best Business VOIP Services
• Best Credit Card Processing Companies
• Best CRM Software for Small Business
• Best Fleet Management Software
• Best Business Credit Cards
• Best Business Loans
• Best Business Software
• Best Business Apps
• Best Free Software For Business
• How to Start a Business
• How To Make A Small Business Website
• How To Trademark A Name
• What Is An LLC?
• How To Set Up An LLC In 7 Steps
• What is Project Management?

Next Up In Business

• Best POS Systems For Small Business

What Is SNMP? Simple Network Management Protocol Explained

What Is A Single-Member LLC? Definition, Pros And Cons

What Is Network Access Control (NAC)?

What Is Network Segmentation?

How To Start A Business In Louisiana (2024 Guide)

How To Start A Business In Pennsylvania (2024 Guide)

Since 2010, Juliana has been a professional writer in the technology and small business worlds. She has both journalism and copywriting experience and is exceptional at distilling complex concepts into compelling stories. She has written for technology giants, including Oracle, Hitachi Vantara and Comcast, and she specializes in cybersecurity and cloud topics.

New sensor can detect cholesterol and glucose from skin

• Share on Twitter
• Share on WhatsApp
• E-mail this article
• 0 Engagements

A new, non-invasive method may do away with the need to draw blood for testing blood glucose and cholesterol levels.

Researchers from the National University of Singapore (NUS) and the Agency for Science, Technology and Research (A*Star) have developed a stretchable, hydrogel-based sensor that can detect such biomarkers in a solid state on the skin.

The technology could be used in wearables for purposes such as chronic disease management and remote patient monitoring.

The team’s findings were published in the scientific journal Nature Materials in June.

While traditional methods of monitoring biomarkers in fluids such as blood, urine and sweat are effective, they come with hurdles that can impede the early diagnosis and treatment of diseases.

Blood tests, for example, can be invasive and inconvenient, while sweat can be difficult to induce in inactive people.

NUSSU wants to address issue of tourists on campus

Related stories, three artists dropped from teaching courses at nus, ibm, nus to set up new ai research and innovation centre, nus student with cerebral palsy graduates with honours.

The researchers noted that such challenges do not apply to solid-state epidermal biomarkers – which include cholesterol and lactate – that are found in the stratum corneum, the outermost layer of the skin.

Such biomarkers have shown strong correlations with diseases such as cardiovascular disease and diabetes. Outside of some scattered literature, these correlations have been overlooked for decades, said Assistant Professor Liu Yuxin from the NUS Institute for Health Innovation & Technology.

Prof Liu, who is one of the leads for the study, said solid electrodes placed on the skin, used in conventional monitors, do not allow for the electrochemical sensing of these biomarkers.

Instead of electrodes, the sensor developed by the researchers uses hydrogels, which dissolve and diffuse solid-state epidermal biomarkers that then undergo electrochemical reactions catalysed by enzymes.

This results in the transfer of electrons to an electronically conductive hydrogel, which can then be read by a flexible printed circuit board connected to the sensor.

The circuit board is able to wirelessly transmit the relevant physiological data to a user, who can use the data to monitor a patient’s health.

Dr Yang Le, principal scientist and head of the sensors and flexible electronics department at the A*Star Institute of Materials Research and Engineering, said the sensor is possibly the first such device that is able to monitor biomarkers on dry skin.

“The stretchable design enhances comfort and accuracy as well, by adapting to our skin’s natural elasticity. This innovation can change the way we approach health and lifestyle monitoring, particularly for those living with chronic conditions requiring constant health monitoring,” said Dr Yang, who is the study’s other lead.

Clinical studies showed that the sensor found “strong correlations” between biomarkers on the skin and those in blood samples, positing that it could act as an alternative to blood tests for monitoring chronic diseases such as diabetes and cardiovascular conditions.

It is also able to detect solid-state lactate and cholesterol, even at very low levels.

High levels of lactate, also known as lactic acid, can be indicative of a number of diseases, such as pulmonary or circulatory disorders, and liver disease.

One possible application of the technology is as a replacement for the pregnancy diabetic test, said Prof Liu.

The test for gestational diabetes – which affects about one in five pregnant women in Singapore – is offered to all women who are between 24 weeks and 28 weeks of pregnancy here.

“Rather than subject pregnant women to multiple blood draws, our sensor could be used to track real-time sugar levels conveniently in patients’ homes, with a similar level of accuracy as traditional tests. This also can be applied to diabetes in general, replacing the need for regular finger-prick tests,” Prof Liu said.

Dr Yang identified the daily monitoring of heart health as another possible use of the innovation.

“The research team has embarked on a research programme to work closely with cardiologists in establishing clinical correlation between biomarkers – lactate, cholesterol and glucose – with heart health,” she said.

While the sensor is currently limited to these three biomarkers, the researchers aim to expand its abilities to detect others as well, she added.

Noting that the sensor can eventually be integrated with a variety of devices, including smartwatches and fitness trackers, Dr Yang said the technology can be employed both for lifestyle and medical purposes.

The researchers expect to be able to commercialise the sensor within the next five years or so, once the technology is more mature, she added.

Medical wearables are becoming increasingly popular, with market researcher Fortune Business Insights predicting that the global market for such devices is expected to grow from $120 billion in 2024 to $427 billion by 2032.

Get The New Paper on your phone with the free TNP app. Download from the Apple App Store  or Google Play Store now

• Share on Facebook

Thank you for visiting nature.com. You are using a browser version with limited support for CSS. To obtain the best experience, we recommend you use a more up to date browser (or turn off compatibility mode in Internet Explorer). In the meantime, to ensure continued support, we are displaying the site without styles and JavaScript.

• View all journals
• Explore content
• About the journal
• Publish with us
• Sign up for alerts
• Open access
• Published: 14 August 2024

A Scottish provenance for the Altar Stone of Stonehenge

• Anthony J. I. Clarke   ORCID: orcid.org/0000-0002-0304-0484 1 ,
• Christopher L. Kirkland   ORCID: orcid.org/0000-0003-3367-8961 1 ,
• Richard E. Bevins 2 ,
• Nick J. G. Pearce   ORCID: orcid.org/0000-0003-3157-9564 2 ,
• Stijn Glorie 3 &
• Rob A. Ixer 4  

Nature volume  632 ,  pages 570–575 ( 2024 ) Cite this article

76k Accesses

1 Citations

4486 Altmetric

Metrics details

• Archaeology

Understanding the provenance of megaliths used in the Neolithic stone circle at Stonehenge, southern England, gives insight into the culture and connectivity of prehistoric Britain. The source of the Altar Stone, the central recumbent sandstone megalith, has remained unknown, with recent work discounting an Anglo-Welsh Basin origin 1 , 2 . Here we present the age and chemistry of detrital zircon, apatite and rutile grains from within fragments of the Altar Stone. The detrital zircon load largely comprises Mesoproterozoic and Archaean sources, whereas rutile and apatite are dominated by a mid-Ordovician source. The ages of these grains indicate derivation from an ultimate Laurentian crystalline source region that was overprinted by Grampian (around 460 million years ago) magmatism. Detrital age comparisons to sedimentary packages throughout Britain and Ireland reveal a remarkable similarity to the Old Red Sandstone of the Orcadian Basin in northeast Scotland. Such a provenance implies that the Altar Stone, a 6 tonne shaped block, was sourced at least 750 km from its current location. The difficulty of long-distance overland transport of such massive cargo from Scotland, navigating topographic barriers, suggests that it was transported by sea. Such routing demonstrates a high level of societal organization with intra-Britain transport during the Neolithic period.

Similar content being viewed by others

The expansion of Acheulean hominins into the Nefud Desert of Arabia

Cryptic geological histories accessed through entombed and matrix geochronometers in dykes

The earliest evidence of Acheulian occupation in Northwest Europe and the rediscovery of the Moulin Quignon site, Somme valley, France

Stonehenge, the Neolithic standing stone circle located on the Salisbury Plain in Wiltshire, England, offers valuable insight into prehistoric Britain. Construction at Stonehenge began as early as 3000  bc , with subsequent modifications during the following two millennia 3 , 4 . The megaliths of Stonehenge are divided into two major categories: sarsen stones and bluestones (Fig. 1a ). The larger sarsens comprise duricrust silcrete predominantly sourced from the West Woods, Marlborough, approximately 25 km north of Stonehenge 5 , 6 . Bluestone, the generic term for rocks considered exotic to the local area, includes volcanic tuff, rhyolite, dolerite and sandstone lithologies 4 (Fig. 1a ). Some lithologies are linked with Neolithic quarrying sites in the Mynydd Preseli area of west Wales 7 , 8 . An unnamed Lower Palaeozoic sandstone, associated with the west Wales area on the basis of acritarch fossils 9 , is present only as widely disseminated debitage at Stonehenge and possibly as buried stumps (Stones 40g and 42c).

a , Plan view of Stonehenge showing exposed constituent megaliths and their provenance. The plan of Stonehenge was adapted from ref.  6 under a CC BY 4.0 license. Changes in scale and colour were made, and annotations were added. b , An annotated photograph shows the Altar Stone during a 1958 excavation. The Altar Stone photograph is from the Historic England archive. Reuse is not permitted.

The central megalith of Stonehenge, the Altar Stone (Stone 80), is the largest of the bluestones, measuring 4.9 × 1.0 × 0.5 m, and is a recumbent stone (Fig. 1b ), weighing 6 t and composed of pale green micaceous sandstone with distinctive mineralogy 1 , 2 , 10 (containing baryte, calcite and clay minerals, with a notable absence of K-feldspar) (Fig. 2 ).

Minerals with a modal abundance above 0.5% are shown with compositional values averaged across both thin sections. U–Pb ablation pits from laser ablation inductively coupled plasma mass spectrometry (LA-ICP–MS) are shown with age (in millions of years ago, Ma), with uncertainty at the 2 σ level.

Previous petrographic work on the Altar Stone has implied an association to the Old Red Sandstone 10 , 11 , 12 (ORS). The ORS is a late Silurian to Devonian sedimentary rock assemblage that crops out widely throughout Great Britain and Ireland (Extended Data Fig. 1 ). ORS lithologies are dominated by terrestrial siliciclastic sedimentary rocks deposited in continental fluvial, lacustrine and aeolian environments 13 . Each ORS basin reflects local subsidence and sediment infill and thus contains proximal crystalline signatures 13 , 14 .

Constraining the provenance of the Altar Stone could give insights into the connectivity of Neolithic people who left no written record 15 . When the Altar Stone arrived at Stonehenge is uncertain; however, it may have been placed within the central trilithon horseshoe during the second construction phase around 2620–2480  bc 3 . Whether the Altar Stone once stood upright as an approximately 4 m high megalith is unclear 15 ; nevertheless, the current arrangement has Stones 55b and 156 from the collapsed Great Trilithon resting atop the prone and broken Altar Stone (Fig. 1b ).

An early proposed source for the Altar Stone from Mill Bay, Pembrokeshire (Cosheston Subgroup of the Anglo-Welsh ORS Basin), close to the Mynydd Preseli source of the doleritic and rhyolitic bluestones, strongly influenced the notion of a sea transport route via the Bristol Channel 12 . However, inconsistencies in petrography and detrital zircon ages between the Altar Stone and the Cosheston Subgroup have ruled this source out 1 , 11 . Nonetheless, a source from elsewhere in the ORS of the Anglo-Welsh Basin was still considered likely, with an inferred collection and overland transport of the Altar Stone en route to Stonehenge from the Mynydd Preseli 1 . However, a source from the Senni Formation (Cosheston Subgroup) is inconsistent with geochemical and petrographic data, which shows that the Anglo-Welsh Basin is highly unlikely to be the source 2 . Thus, the ultimate provenance of the Altar Stone had remained an open question.

Studies of detrital mineral grains are widely deployed to address questions throughout the Earth sciences and have utility in archaeological investigations 16 , 17 . Sedimentary rocks commonly contain a detrital component derived from a crystalline igneous basement, which may reflect a simple or complex history of erosion, transport and deposition cycles. This detrital cargo can fingerprint a sedimentary rock and its hinterland. More detailed insights become evident when a multi-mineral strategy is implemented, which benefits from the varying degrees of robustness to sedimentary transportation in the different minerals 18 , 19 , 20 .

Here, we present in situ U–Pb, Lu–Hf and trace element isotopic data for zircon, apatite and rutile from two fragments of the Altar Stone collected at Stonehenge: MS3 and 2010K.240 21 , 22 . In addition, we present comparative apatite U–Pb dates for the Orcadian Basin from Caithness and Orkney. We utilize statistical tools (Fig. 3 ) to compare the obtained detrital mineral ages and chemistry (Supplementary Information  1 – 3 ) to crystalline terranes and ORS successions across Great Britain, Ireland and Europe (Fig. 4 and Extended Data Fig. 1 ).

a , Multidimensional scaling (MDS) plot of concordant zircon U–Pb ages from the Altar Stone and comparative age datasets, with ellipses at the 95% confidence level 58 . DIM 1 and DIM 2, dimensions 1 and 2. b , Cumulative probability plot of zircon U–Pb ages from crystalline terranes, the Orcadian Basin and the Altar Stone. For a cumulative probability plot of all ORS basins, see Extended Data Fig. 8 .

a , Schematic map of Britain, showing outcrops of ORS and other Devonian sedimentary rocks, basement terranes and major faults. Potential Caledonian source plutons are colour-coded on the basis of age 28 . b , Kernel density estimate diagrams displaying zircon U–Pb age (histogram) and apatite Lu–Hf age (dashed line) spectra from the Altar Stone, the Orcadian Basin 25 and plausible crystalline source terranes. The apatite age components for the Altar Stone and Orcadian Basins are shown below their respective kernel density estimates. Extended Data Fig. 3 contains kernel density estimates of other ORS and New Red Sandstone (NRS) age datasets.

Laurentian basement signatures

The crystalline basement terranes of Great Britain and Ireland, from north to south, are Laurentia, Ganderia, Megumia and East Avalonia (Fig. 4a and Extended Data Fig. 1 ). Cadomia-Armorica is south of the Rheic Suture and encompasses basement rocks in western Europe, including northern France and Spain. East Avalonia, Megumia and Ganderia are partly separated by the Menai Strait Fault System (Fig. 4a ). Each terrane has discrete age components, which have imparted palaeogeographic information into overlying sedimentary basins 13 , 14 , 23 . Laurentia was a palaeocontinent that collided with Baltica and Avalonia (a peri-Gondwanan microcontinent) during the early Palaeozoic Caledonian Orogeny to form Laurussia 14 , 24 . West Avalonia is a terrane that includes parts of eastern Canada and comprised the western margin of Avalonia (Extended Data Fig. 1 ).

Statistical comparisons, using a Kolmogorov–Smirnov test, between zircon ages from the Laurentian crystalline basement and the Altar Stone indicate that at a 95% confidence level, no distinction in provenance is evident between Altar Stone detrital zircon U–Pb ages and those from the Laurentian basement. That is, we cannot reject the null hypothesis that both samples are from the same underlying age distribution (Kolmogorov–Smirnov test: P  > 0.05) (Fig. 3a ).

Detrital zircon age components, defined by concordant analyses from at least 4 grains in the Altar Stone, include maxima at 1,047, 1,091, 1,577, 1,663 and 1,790 Ma (Extended Data Fig. 2 ), corresponding to known tectonomagmatic events and sources within Laurentia and Baltica, including the Grenville (1,095–980 Ma), Labrador (1,690–1,590 Ma), Gothian (1,660–1,520 Ma) and Svecokarellian (1,920–1,770 Ma) orogenies 25 .

Laurentian terranes are crystalline lithologies north of the Iapetus Suture Zone (which marks the collision zone between Laurentia and Avalonia) and include the Southern Uplands, Midland Valley, Grampian, Northern Highlands and Hebridean Terranes (Fig. 4a ). Together, these terranes preserve a Proterozoic to Archaean record of zircon production 24 , distinct from the southern Gondwanan-derived terranes of Britain 20 , 26 (Fig. 4a and Extended Data Fig. 3 ).

Age data from Altar Stone rutile grains also point towards an ultimate Laurentian source with several discrete age components (Extended Data Fig. 4 and Supplementary Information  1 ). Group 2 rutile U–Pb analyses from the Altar Stone include Proterozoic ages from 1,724 to 591 Ma, with 3 grains constituting an age peak at 1,607 Ma, overlapping with Laurentian magmatism, including the Labrador and Pinwarian (1,690–1,380 Ma) orogenies 24 . Southern terranes in Britain are not characterized by a large Laurentian (Mesoproterozoic) crystalline age component 25 (Fig. 4b and Extended Data Fig. 3 ). Instead, terranes south of the Iapetus Suture are defined by Neoproterozoic to early Palaeozoic components, with a minor component from around two billion years ago (Figs. 3b and  4b ).

U–Pb analyses of apatite from the Altar Stone define two distinct age groupings. Group 2 apatite U–Pb analyses define a lower intercept age of 1,018 ± 24 Ma ( n  = 9) (Extended Data Fig. 5 ), which overlaps, within uncertainty, to a zircon age component at 1,047 Ma, consistent with a Grenville source 25 . Apatite Lu–Hf dates at 1,496 and 1,151 Ma also imply distinct Laurentian sources 25 (Fig. 4b , Extended Data Fig. 6 and Supplementary Information  2 ). Ultimately, the presence of Grenvillian apatite in the Altar Stone suggests direct derivation from the Laurentian basement, given the lability of apatite during prolonged chemical weathering 20 , 27 .

Grampian Terrane detrital grains

Apatite and rutile U–Pb analyses from the Altar Stone are dominated by regressions from common Pb that yield lower intercepts of 462 ± 4 Ma ( n  = 108) and 451 ± 8 Ma ( n  = 83), respectively (Extended Data Figs. 4 and 5 ). A single concordant zircon analysis also yields an early Palaeozoic age of 498 ± 17 Ma. Hence, with uncertainty from both lower intercepts, Group 1 apatite and rutile analyses demonstrate a mid-Ordovician (443–466 Ma) age component in the Altar Stone. These mid-Ordovician ages are confirmed by in situ apatite Lu–Hf analyses, which define a lower intercept of 470 ± 29 Ma ( n  = 16) (Extended Data Fig. 6 and Supplementary Information  2 ).

Throughout the Altar Stone are sub-planar 100–200-µm bands of concentrated heavy resistive minerals. These resistive minerals are interpreted to be magmatic in origin, given internal textures (oscillatory zonation), lack of mineral overgrowths (in all dated minerals) (Fig. 2 ) and the igneous apatite trace element signatures 27 (Extended Data Fig. 7 and Supplementary Information  3 ). Moreover, there is a general absence of detrital metamorphic zircon grains, further supporting a magmatic origin for these grains.

The most appropriate source region for such mid-Ordovician grains within Laurentian basement is the Grampian Terrane of northeast Scotland (Fig. 4a ). Situated between the Great Glen Fault to the north and the Highland Boundary Fault to the south, the terrane comprises Neoproterozoic to Lower Palaeozoic metasediments termed the Dalradian Supergroup 28 , which are intruded by a compositionally diverse suite of early Palaeozoic granitoids and gabbros (Fig. 4a ). The 466–443 Ma age component from Group 1 apatite and rutile U–Pb analyses overlaps with the terminal stages of Grampian magmatism and subsequent granite pluton emplacement north of the Highland Boundary Fault 28 (Fig. 4a ).

Geochemical classification plots for the Altar Stone apatite imply a compositionally diverse source, much like the lithological diversity within the Grampian Terrane 28 , with 61% of apatite classified as coming from felsic sources, 35% from mafic sources and 4% from alkaline sources (Extended Data Fig. 7 and Supplementary Information  3 ). Specifically, igneous rocks within the Grampian Terrane are largely granitoids, thus accounting for the predominance of felsic-classified apatite grains 29 . We posit that the dominant supply of detritus from 466–443 Ma came from the numerous similarly aged granitoids formed on the Laurentian margin 28 , which are present in both the Northern Highlands and the Grampian Terranes 28 (Fig. 4a ). The alkaline to calc-alkaline suites in these terranes are volumetrically small, consistent with the scarcity of alkaline apatite grains within the Altar Stone (Extended Data Fig. 7 ). Indeed, the Glen Dessary syenite at 447 ± 3 Ma is the only age-appropriate felsic-alkaline pluton in the Northern Highlands Terrane 30 .

The Stacey and Kramers 31 model of terrestrial Pb isotopic evolution predicts a 207 Pb/ 206 Pb isotopic ratio ( 207 Pb/ 206 Pb i ) of 0.8601 for 465 Ma continental crust. Mid-Ordovician regressions through Group 1 apatite and rutile U–Pb analyses yield upper intercepts for 207 Pb/ 206 Pb i of 0.8603 ± 0.0033 and 0.8564 ± 0.0014, respectively (Extended Data Figs. 4 and 5 and Supplementary Information  1 ). The similarity between apatite and rutile 207 Pb/ 206 Pb i implies they were sourced from the same Mid-Ordovician magmatic fluids. Ultimately, the calculated 207 Pb/ 206 Pb i value is consistent with the older (Laurentian) crust north of the Iapetus Suture in Britain 32 (Fig. 4a ).

Orcadian Basin ORS

The detrital zircon age spectra confirm petrographic associations between the Altar Stone and the ORS. Furthermore, the Altar Stone cannot be a New Red Sandstone (NRS) lithology of Permo-Triassic age. The NRS, deposited from around 280–240 Ma, unconformably overlies the ORS 14 . NRS, such as that within the Wessex Basin (Extended Data Fig. 1 ), has characteristic detrital zircon age components, including Carboniferous to Permian zircon grains, which are not present in the Altar Stone 1 , 23 , 26 , 33 , 34 (Extended Data Fig. 3 ).

An ORS classification for the Altar Stone provides the basis for further interpretation of provenance (Extended Data Figs. 1 and 8 ), given that the ORS crops out in distinct areas of Great Britain and Ireland, including the Anglo-Welsh border and south Wales, the Midland Valley and northeast Scotland, reflecting former Palaeozoic depocentres 14 (Fig. 4a ).

Previously reported detrital zircon ages and petrography show that ORS outcrops of the Anglo-Welsh Basin in the Cosheston Subgroup 1 and Senni Formation 2 are unlikely to be the sources of the Altar Stone (Fig. 4a ). ORS within the Anglo-Welsh Basin is characterized by mid-Palaeozoic zircon age maxima and minor Proterozoic components (Fig. 4a ). Ultimately, the detrital zircon age spectra of the Altar Stone are statistically distinct from the Anglo-Welsh Basin (Fig. 3a ). In addition, the ORS outcrops of southwest England (that is, south of the Variscan front), including north Devon and Cornwall (Cornubian Basin) (Fig. 4a ), show characteristic facies, including marine sedimentary structures and fossils along with a metamorphic fabric 13 , 26 , inconsistent with the unmetamorphosed, terrestrial facies of the Altar Stone 1 , 11 .

Another ORS succession with published age data for comparison is the Dingle Peninsula Basin, southwest Ireland. However, the presence of late Silurian (430–420 Ma) and Devonian (400–350 Ma) apatite, zircon and muscovite from the Dingle Peninsula ORS discount a source for the Altar Stone from southern Ireland 20 . The conspicuous absence of apatite grains of less than 450 Ma in age in the Altar Stone precludes the input of Late Caledonian magmatic grains to the source sediment of the Altar Stone and demonstrates that the ORS of the Altar Stone was deposited prior to or distally from areas of Late Caledonian magmatism, unlike the ORS of the Dingle Peninsula 20 . Notably, no distinction in provenance between the Anglo-Welsh Basin and the Dingle Peninsula ORS is evident (Kolmogorov–Smirnov test: P  > 0.05), suggesting that ORS basins south of the Iapetus Suture are relatively more homogenous in terms of their detrital zircon age components (Fig. 4a ).

In Scotland, ORS predominantly crops out in the Midland Valley and Orcadian Basins (Fig. 4a ). The Midland Valley Basin is bound between the Highland Boundary Fault and the Iapetus Suture and is located within the Midland Valley and Southern Uplands Terranes. Throughout Midland Valley ORS stratigraphy, detrital zircon age spectra broadly show a bimodal age distribution between Lower Palaeozoic and Mesoproterozoic components 35 , 36 (Extended Data Fig. 3 ). Indeed, throughout 9 km of ORS stratigraphy in the Midland Valley Basin and across the Sothern Uplands Fault, no major changes in provenance are recognized 36 (Fig. 4a ). Devonian zircon, including grains as young as 402 ± 5 Ma from the northern ORS in the Midland Valley Basin 36 , further differentiates this basin from the Altar Stone (Fig. 3a and Extended Data Fig. 3 ). The scarcity of Archaean to late Palaeoproterozoic zircon grains within the Midland Valley ORS shows that the Laurentian basement was not a dominant detrital source for those rocks 35 . Instead, ORS of the Midland Valley is primarily defined by zircon from 475 Ma interpreted to represent the detrital remnants of Ordovician volcanism within the Midland Valley Terrane, with only minor and periodic input from Caledonian plutonism 35 .

The Orcadian Basin of northeast Scotland, within the Grampian and Northern Highlands terranes, contains a thick package of mostly Mid-Devonian ORS, around 4 km thick in Caithness and up to around 8 km thick in Shetland 14 (Fig. 4a ). The detrital zircon age spectra from Orcadian Basin ORS provides the closest match to the Altar Stone detrital ages 25 (Fig. 3 and Extended Data Fig. 8 ). A Kolmogorov–Smirnov test on age spectra from the Altar Stone and the Orcadian Basin fails to reject the null hypothesis that they are derived from the same underlying distribution (Kolmogorov–Smirnov test: P  > 0.05) (Fig. 3a ). To the north, ORS on the Svalbard archipelago formed on Laurentian and Baltican basement rocks 37 . Similar Kolmogorov–Smirnov test results, where each detrital zircon dataset is statistically indistinguishable, are obtained for ORS from Svalbard, the Orcadian Basin and the Altar Stone.

Apatite U–Pb age components from Orcadian Basin samples from Spittal, Caithness (AQ1) and Cruaday, Orkney (CQ1) (Fig. 4a ) match those from the Altar Stone. Group 2 apatite from the Altar Stone at 1,018 ± 24 Ma is coeval with a Grenvillian age from Spittal at 1,013 ± 35 Ma. Early Palaeozoic apatite components at 473 ± 25 Ma and 466 ± 6 Ma, from Caithness and Orkney, respectively (Extended Data Fig. 5 and Supplementary Information  1 ), are also identical, within uncertainty, to Altar Stone Group 1 (462 ± 4 Ma) apatite U–Pb analyses and a Lu–Hf component at 470 ± 28 Ma supporting a provenance from the Orcadian Basin for the Altar Stone (Extended Data Fig. 6 and Supplementary Information  2 ).

During the Palaeozoic, the Orcadian Basin was situated between Laurentia and Baltica on the Laurussian palaeocontinent 14 . Correlations between detrital zircon age components imply that both Laurentia and Baltica supplied sediment into the Orcadian Basin 25 , 36 . Detrital grains from more than 900 Ma within the Altar Stone are consistent with sediment recycling from intermediary Neoproterozoic supracrustal successions (for example, Dalradian Supergroup) within the Grampian Terrane but also from the Särv and Sparagmite successions of Baltica 25 , 36 . At around 470 Ma, the Grampian Terrane began to denude 28 . Subsequently, first-cycle detritus, such as that represented by Group 1 apatite and rutile, was shed towards the Orcadian Basin from the southeast 25 .

Thus, the resistive mineral cargo in the Altar Stone represents a complex mix of first and multi-cycle grains from multiple sources. Regardless of total input from Baltica versus Laurentia into the Orcadian Basin, crystalline terranes north of the Iapetus Suture (Fig. 4a ) have distinct age components that match the Altar Stone in contrast to Gondwanan-derived terranes to the south.

The Altar Stone and Neolithic Britain

Isotopic data for detrital zircon and rutile (U–Pb) and apatite (U–Pb, Lu–Hf and trace elements) indicate that the Altar Stone of Stonehenge has a provenance from the ORS in the Orcadian Basin of northeast Scotland (Fig. 4a ). Given this detrital mineral provenance, the Altar Stone cannot have been sourced from southern Britain (that is, south of the Iapetus Suture) (Fig. 4a ), including the Anglo-Welsh Basin 1 , 2 .

Some postulate a glacial transport mechanism for the Mynydd Preseli (Fig. 4a ) bluestones to Salisbury Plain 38 , 39 . However, such transport for the Altar Stone is difficult to reconcile with ice-sheet reconstructions that show a northwards movement of glaciers (and erratics) from the Grampian Mountains towards the Orcadian Basin during the Last Glacial Maximum and, indeed, previous Pleistocene glaciations 40 , 41 . Moreover, there is little evidence of extensive glacial deposition in central southern Britain 40 , nor are Scottish glacial erratics found at Stonehenge 42 . Sr and Pb isotopic signatures from animal and human remains from henges on Salisbury Plain demonstrate the mobility of Neolithic people within Britain 32 , 43 , 44 , 45 . Furthermore, shared architectural elements and rock art motifs between Neolithic monuments in Orkney, northern Britain, and Ireland point towards the long-distance movement of people and construction materials 46 , 47 .

Thus, we posit that the Altar Stone was anthropogenically transported to Stonehenge from northeast Scotland, consistent with evidence of Neolithic inhabitation in this region 48 , 49 . Whereas the igneous bluestones were brought around 225 km from the Mynydd Preseli to Stonehenge 50 (Fig. 4a ), a Scottish provenance for the Altar Stone demands a transport distance of at least 750 km (Fig. 4a ). Nonetheless, even with assistance from beasts of burden 51 , rivers and topographical barriers, including the Grampians, Southern Uplands and the Pennines, along with the heavily forested landscape of prehistoric Britain 52 , would have posed formidable obstacles for overland megalith transportation.

At around 5000  bc , Neolithic people introduced the common vole ( Microtus arvalis ) from continental Europe to Orkney, consistent with the long-distance marine transport of cattle and goods 53 . A Neolithic marine trade network of quarried stone tools is found throughout Britain, Ireland and continental Europe 54 . For example, a saddle quern, a large stone grinding tool, was discovered in Dorset and determined to have a provenance in central Normandy 55 , implying the shipping of stone cargo over open water during the Neolithic. Furthermore, the river transport of shaped sandstone blocks in Britain is known from at least around 1500  bc (Hanson Log Boat) 56 . In Britain and Ireland, sea levels approached present-day heights from around 4000  bc 57 , and although coastlines have shifted, the geography of Britain and Ireland would have permitted sea routes southward from the Orcadian Basin towards southern England (Fig. 4a ). A Scottish provenance for the Altar Stone implies Neolithic transport spanning the length of Great Britain.

This work analysed two 30-µm polished thin sections of the Altar Stone (MS3 and 2010K.240) and two sections of ORS from northeast Scotland (Supplementary Information  4 ). CQ1 is from Cruaday, Orkney (59° 04′ 34.2″ N, 3° 18′ 54.6″ W), and AQ1 is from near Spittal, Caithness (58° 28′ 13.8″ N, 3° 27′ 33.6″ W). Conventional optical microscopy (transmitted and reflected light) and automated mineralogy via a TESCAN Integrated Mineral Analyser gave insights into texture and mineralogy and guided spot placement during LA-ICP–MS analysis. A CLARA field emission scanning electron microscope was used for textural characterization of individual minerals (zircon, apatite and rutile) through high-resolution micrometre-scale imaging under both back-scatter electron and cathodoluminescence. The Altar Stone is a fine-grained and well-sorted sandstone with a mean grain size diameter of ≤300 µm. Quartz grains are sub-rounded and monocrystalline. Feldspars are variably altered to fine-grained white mica. MS3 and 2010K.240 have a weakly developed planar fabric and non-planar heavy mineral laminae approximately 100–200 µm thick. Resistive heavy mineral bands are dominated by zircon, rutile, and apatite, with grains typically 10–40 µm wide. The rock is mainly cemented by carbonate, with localized areas of barite and quartz cement. A detailed account of Altar Stone petrography is provided in refs. 1 , 59 .

Zircon isotopic analysis

Zircon u–pb methods.

Two zircon U–Pb analysis sessions were completed at the GeoHistory facility in the John De Laeter Centre (JdLC), Curtin University, Australia. Ablations within zircon grains were created using an excimer laser RESOlution LE193 nm ArF with a Laurin Technic S155 cell. Isotopic data was collected with an Agilent 8900 triple quadrupole mass spectrometer, with high-purity Ar as the plasma carrier gas (flow rate 1.l min −1 ). An on-sample energy of ~2.3–2.7 J cm −2 with a 5–7 Hz repetition rate was used to ablate minerals for 30–40 s (with 25–60 s of background capture). Two cleaning pulses preceded analyses, and ultra-high-purity He (0.68 ml min −1 ) and N 2 (2.8 ml min −1 ) were used to flush the sample cell. A block of reference mineral was analysed following 15–20 unknowns. The small, highly rounded target grains of the Altar Stone (usually <30 µm in width) necessitated using a spot size diameter of ~24 µm for all ablations. Isotopic data was reduced using Iolite 4 60 with the U-Pb Geochronology data reduction scheme, followed by additional calculation and plotting via IsoplotR 61 . The primary matrix-matched reference zircon 62 used to correct instrumental drift and mass fractionation was GJ-1, 601.95 ± 0.40 Ma. Secondary reference zircon included Plešovice 63 , 337.13 ± 0.37 Ma, 91500 64 , 1,063.78 ± 0.65 Ma, OG1 65 3,465.4 ± 0.6 Ma and Maniitsoq 66 3,008.7 ± 0.6 Ma. Weighted mean U–Pb ages for secondary reference materials were within 2 σ uncertainty of reported values (Supplementary Information  5 ).

Zircon U–Pb results

Across two LA-ICP–MS sessions, 83 U–Pb measurements were obtained on as many zircon grains; 41 were concordant (≤10% discordant), where discordance is defined using the concordia log distance (%) approach 67 . We report single-spot (grain) concordia ages, which have numerous benefits over conventional U–Pb/Pb–Pb ages, including providing an objective measure of discordance that is directly coupled to age and avoids the arbitrary switch between 206 Pb/ 238 U and 207 Pb/ 206 Pb. Furthermore, given the spread in ages (Early Palaeozoic to Archaean), concordia ages provide optimum use of both U–Pb/Pb–Pb ratios, offering greater precision over 206 Pb/ 238 U or 207 Pb/ 206 Pb ages alone.

Given that no direct sampling of the Altar Stone is permitted, we are limited in the amount of material available for destructive analysis, such as LA-ICP–MS. We collate our zircon age data with the U–Pb analyses 1 of FN593 (another fragment of the Altar Stone), filtered using the same concordia log distance (%) discordance filter 67 . The total concordant analyses used in this work is thus 56 over 3 thin sections, each showing no discernible provenance differences. Zircon concordia ages span from 498 to 2,812 Ma. Age maxima (peak) were calculated after Gehrels 68 , and peak ages defined by ≥4 grains include 1,047, 1,091, 1,577, 1,663 and 1,790 Ma.

For 56 concordant ages from 56 grains at >95% certainty, the largest unmissed fraction is calculated at 9% of the entire uniform detrital population 69 . In any case, the most prevalent and hence provenance important components will be sampled for any number of analyses 69 . We analysed all zircon grains within the spatial limit of the technique in the thin sections 70 . We used in situ thin-section analysis, which can mitigate against contamination and sampling biases in detrital studies 71 . Adding apatite (U–Pb and Lu–Hf) and rutile (U–Pb) analyses bolsters our confidence in provenance interpretations as these minerals will respond dissimilarly during transport.

Comparative zircon datasets

Zircon U–Pb compilations of the basement terranes of Britain and Ireland were sourced from refs. 20 , 26 . ORS detrital zircon datasets used for comparison include isotopic data from the Dingle Peninsula Basin 20 , Anglo-Welsh Basin 72 , Midland Valley Basin 35 , Svalbard ORS 37 and Orcadian Basin 25 . NRS zircon U–Pb ages were sourced from the Wessex Basin 33 . Comparative datasets were filtered for discordance as per our definition above 20 , 26 . Kernel density estimates for age populations were created within IsoplotR 61 using a kernel and histogram bandwidth of 50 Ma.

A two-sample Kolmogorov–Smirnov statistical test was implemented to compare the compiled zircon age datasets with the Altar Stone (Supplementary Information  6 ). This two-sided test compares the maximum probability difference between two cumulative density age functions, evaluating the null hypothesis that both age spectra are drawn from the same distribution based on a critical value dependent on the number of analyses and a chosen confidence level.

The number of zircon ages within the comparative datasets used varies from the Altar Stone ( n  = 56) to Laurentia ( n  = 2,469). Therefore, to address the degree of dependence on sample n , we also implemented a Monte Carlo resampling (1,000 times) procedure for the Kolmogorov–Smirnov test, including the uncertainty on each age determination to recalculate P values and standard deviations (Supplementary Information  7 ), based on the resampled distribution of each sample. The results from Kolmogorov–Smirnov tests, using Monte Carlo resampling (and multidimensional analysis), taking uncertainty due to sample n into account, also support the interpretation that at >95% certainty, no distinction in provenance can be made between the Altar Stone zircon age dataset ( n  = 56) and those from the Orcadian Basin ( n  = 212), Svalbard ORS ( n  = 619 ) and the Laurentian basement (Supplementary Information  7 ).

MDS plots for zircon datasets were created using the MATLAB script of ref.  58 . Here, we adopted a bootstrap resampling (>1,000 times) with Procrustes rotation of Kolmogorov–Smirnov values, which outputs uncertainty ellipses at a 95% confidence level (Fig. 3a ). In MDS plots, stress is a goodness of fit indicator between dissimilarities in the datasets and distances on the MDS plot. Stress values below 0.15 are desirable 58 . For the MDS plot in Fig. 3a , the value is 0.043, which indicates an “excellent” fit 58 .

Rutile isotopic analysis

Rutile u–pb methods.

One rutile U–Pb analysis session was completed at the GeoHistory facility in the JdLC, Curtin University, Australia. Rutile grains were ablated (24 µm) using a Resonetics RESOlution M-50A-LR sampling system, using a Compex 102 excimer laser, and measured using an Agilent 8900 triple quadrupole mass analyser. The analytical parameters included an on-sample energy of 2.7 J cm −2 , a repetition rate of 7 Hz for a total analysis time of 45 s, and 60 s of background data capture. The sample chamber was purged with ultrahigh purity He at a flow rate of 0.68 l min −1 and N 2 at 2.8 ml min −1 .

U–Pb data for rutile analyses was reduced against the R-10 rutile primary reference material 73 (1,091 ± 4 Ma). The secondary reference material used to monitor the accuracy of U–Pb ratios was R-19 rutile. The mean weighted 238 U/ 206 Pb age obtained for R-19 was 491 ± 10 (mean squared weighted deviation (MSWD) = 0.87, p ( χ 2 ) = 0.57) within uncertainty of the accepted age 74 of 489.5 ± 0.9 Ma.

Rutile grains with negligible Th concentrations can be corrected for common Pb using a 208 Pb correction 74 . Previously used thresholds for Th content have included 75 , 76 Th/U < 0.1 or a Th concentration >5% U. However, Th/U ratios for rutile from MS3 are typically > 1; thus, a 208 Pb correction is not applicable. Instead, we use a 207 -based common Pb correction 31 to account for the presence of common Pb. Rutile isotopic data was reduced within Iolite 4 60 using the U–Pb Geochronology reduction scheme and IsoplotR 61 .

Rutile U–Pb Results

Ninety-two rutile U–Pb analyses were obtained in a U–Pb single session, which defined two coherent age groupings on a Tera–Wasserburg plot.

Group 1 constitutes 83 U–Pb rutile analyses, forming a well-defined mixing array on a Tera-Wasserburg plot between common and radiogenic Pb components. This array yields an upper intercept of 207 Pb/ 206 Pb i  = 0.8563 ± 0.0014. The lower intercept implies an age of 451 ± 8 Ma. The scatter about the line (MSWD = 2.7) is interpreted to reflect the variable passage of rutile of diverse grain sizes through the radiogenic Pb closure temperature at ~600 °C during and after magmatic crystallization 77 .

Group 2 comprises 9 grains, with 207 Pb corrected 238 U/ 206 Pb ages ranging from 591–1,724 Ma. Three grains from Group 2 define an age peak 68 at 1,607 Ma. Given the spread in U–Pb ages, we interpret these Proterozoic grains to represent detrital rutile derived from various sources.

Apatite isotopic analysis

Apatite u–pb methods.

Two apatite U–Pb LA-ICP–MS analysis sessions were conducted at the GeoHistory facility in the JdLC, Curtin University, Australia. For both sessions, ablations were created using a RESOlution 193 nm excimer laser ablation system connected to an Agilent 8900 ICP–MS with a RESOlution LE193 nm ArF and a Laurin Technic S155 cell ICP–MS. Other analytical details include a fluence of 2 J cm 2 and a 5 Hz repetition rate. For the Altar Stone section (MS3) and the Orcadian Basin samples (Supplementary Information  4 ), 24- and 20-µm spot sizes were used, respectively.

The matrix-matched primary reference material used for apatite U–Pb analyses was the Madagascar apatite (MAD-1) 78 . A range of secondary reference apatite was analysed, including FC-1 79 (Duluth Complex) with an age of 1,099.1 ± 0.6 Ma, Mount McClure 80 , 81 526 ± 2.1 Ma, Otter Lake 82 913 ± 7 Ma and Durango 31.44 ± 0.18 83  Ma. Anchored regressions (through reported 207 Pb/ 206 Pb i values) for secondary reference material yielded lower intercept ages within 2 σ uncertainty of reported values (Supplementary Information  8 ).

Altar Stone apatite U–Pb results

This first session of apatite U–Pb of MS3 from the Altar Stone yielded 117 analyses. On a Tera–Wasserburg plot, these analyses form two discordant mixing arrays between common and radiogenic Pb components with distinct lower intercepts.

The array from Group 2 apatite, comprised of 9 analyses, yields a lower intercept equivalent to an age of 1,018 ± 24 Ma (MSWD = 1.4) with an upper intercept 207 Pb/ 206 Pb i  = 0.8910 ± 0.0251. The f 207 % (the percentage of common Pb estimated using the 207 Pb method) of apatite analyses in Group 2 ranges from 16.66–88.8%, with a mean of 55.76%.

Group 1 apatite is defined by 108 analyses yielding a lower intercept of 462 ± 4 Ma (MSWD = 2.4) with an upper intercept 207 Pb/ 206 Pb i  = 0.8603 ± 0.0033. The f 207 % of apatite analyses in Group 1 range from 10.14–99.91%, with a mean of 78.65%. The slight over-dispersion of the apatite regression line may reflect some variation in Pb closure temperature in these crystals 84 .

Orcadian basin apatite U–Pb results

The second apatite U–Pb session yielded 138 analyses from samples CQ1 and AQ1. These data form three discordant mixing arrays between radiogenic and common Pb components on a Tera–Wasserburg plot.

An unanchored regression through Group 1 apatite ( n  = 14) from the Cruaday sample (CQ1) yields a lower intercept of 473 ± 25 Ma (MSWD = 1.8) with an upper intercept of 207 Pb/ 206 Pb i  = 0.8497 ± 0.0128. The f 207 % spans 38–99%, with a mean value of 85%.

Group 1 from the Spittal sample (AQ1), comprised of 109 analyses, yields a lower intercept equal to 466 ± 6 Ma (MSWD = 1.2). The upper 207 Pb/ 206 Pb i is equal to 0.8745 ± 0.0038. f 207 % values for this group range from 6–99%, with a mean value of 83%. A regression through Group 2 analyses ( n  = 17) from the Spittal sample yields a lower intercept of 1,013 ± 35 Ma (MSWD = 1) and an upper intercept 207 Pb/ 206 Pb i of 0.9038 ± 0.0101. f 207 % values span 25–99%, with a mean of 76%. Combined U–Pb analyses from Groups 1 from CQ1 and AQ1 ( n  = 123) yield a lower intercept equivalent to 466 ± 6 Ma (MSWD = 1.4) and an upper intercept 207 Pb/ 206 Pb i of 0.8726 ± 0.0036, which is presented beneath the Orcadian Basin kernel density estimate in Fig. 4b .

Apatite Lu–Hf methods

Apatite grains were dated in thin-section by the in situ Lu–Hf method at the University of Adelaide, using a RESOlution-LR 193 nm excimer laser ablation system, coupled to an Agilent 8900 ICP–MS/MS 85 , 86 . A gas mixture of NH 3 in He was used in the mass spectrometer reaction cell to promote high-order Hf reaction products, while equivalent Lu and Yb reaction products were negligible. The mass-shifted (+82 amu) reaction products of 176+82 Hf and 178+82 Hf reached the highest sensitivity of the measurable range and were analysed free from isobaric interferences. 177 Hf was calculated from 178 Hf, assuming natural abundances. 175 Lu was measured on mass as a proxy 85 for 176 Lu. Laser ablation was conducted with a laser beam of 43 µm at 7.5 Hz repetition rate and a fluency of approximately 3.5 J cm −2 . The analysed isotopes (with dwell times in ms between brackets) are 27 Al (2), 43 Ca (2), 57 Fe (2), 88 Sr (2), 89+85 Y (2), 90+83 Zr (2), 140+15 Ce (2), 146 Nd (2), 147 Sm (2), 172 Yb (5), 175 Lu (10), 175+82 Lu (50), 176+82 Hf (200) and 178+82 Hf (150). Isotopes with short dwell times (<10 ms) were measured to confirm apatite chemistry and to monitor for inclusions. 175+82 Lu was monitored for interferences on 176+82 Hf.

Relevant isotope ratios were calculated in LADR 87 using NIST 610 as the primary reference material 88 . Subsequently, reference apatite OD-306 78 (1,597 ± 7 Ma) was used to correct the Lu–Hf isotope ratios for matrix-induced fractionation 86 , 89 . Reference apatites Bamble-1 (1,597 ± 5 Ma), HR-1 (344 ± 2 Ma) and Wallaroo (1,574 ± 6 Ma) were monitored for accuracy verification 85 , 86 , 90 . Measured Lu–Hf dates of 1,098 ± 7 Ma, 346.0 ± 3.7 Ma and 1,575 ± 12 Ma, respectively, are in agreement with published values. All reference materials have negligible initial Hf, and weighted mean Lu–Hf dates were calculated in IsoplotR 61 directly from the (matrix-corrected) 176 Hf/ 176 Lu ratios.

For the Altar Stone apatites, which have variable 177 Hf/ 176 Hf compositions, single-grain Lu–Hf dates were calculated by anchoring isochrons to an initial 177 Hf/ 176 Hf composition 90 of 3.55 ± 0.05, which spans the entire range of initial 177 Hf/ 176 Hf ratios of the terrestrial reservoir (for example, ref. 91 ). The reported uncertainties for the single-grain Lu–Hf dates are presented as 95% confidence intervals, and dates are displayed on a kernel density estimate plot.

Apatite Lu–Hf results

Forty-five apatite Lu–Hf analyses were obtained from 2010K.240. Those with radiogenic Lu ingrowth or lacking common Hf gave Lu–Hf ages, defining four coherent isochrons and age groups.

Group 1, defined by 16 grains, yields a Lu–Hf isochron with a lower intercept of 470 ± 28 Ma (MSWD = 0.16, p ( χ 2 ) = 1). A second isochron through 5 analyses (Group 2) constitutes a lower intercept equivalent to 604 ± 38 Ma (MSWD = 0.14, p ( χ 2 ) = 0.94). Twelve apatite Lu–Hf analyses define Group 3 with a lower intercept of 1,123 ± 42 Ma (MSWD = 0.75, p ( χ 2 ) = 0.68). Three grains constitute the oldest grouping, Group 4 at 1,526 ± 186 Ma (MSWD = 0.014, p ( χ 2 ) = 0.91).

Apatite trace elements methods

A separate session of apatite trace element analysis was undertaken. Instrumentation and analytical set-up were identical to that described in 4.1. NIST 610 glass was the primary reference material for apatite trace element analyses. 43 Ca was used as the internal reference isotope, assuming an apatite Ca concentration of 40 wt%. Secondary reference materials included NIST 612 and the BHVO−2g glasses 92 . Elemental abundances for secondary reference material were generally within 5–10% of accepted values. Apatite trace element data was examined using the Geochemical Data Toolkit 93 .

Apatite trace elements results

One hundred and thirty-six apatite trace element analyses were obtained from as many grains. Geochemical classification schemes for apatite were used 29 , and three compositional groupings (felsic, mafic-intermediate, and alkaline) were defined.

Felsic-classified apatite grains ( n  = 83 (61% of analyses)) are defined by La/Nd of <0.6 and (La + Ce + Pr)/ΣREE (rare earth elements) of <0.5. The median values of felsic grains show a flat to slightly negative gradient on the chondrite-normalized REE plot from light to heavy REEs 94 . Felsic apatite’s median europium anomaly (Eu/Eu*) is 0.59, a moderately negative signature.

Mafic-intermediate apatite 29 ( n  = 48 (35% of grains)) are defined by (La + Ce + Pr)/ΣREE of 0.5–0.7 and a La/Nd of 0.5–1.5. In addition, apatite grains of this group typically exhibit a chondrite-normalized Ce/Yb of >5 and ΣREEs up to 1.25 wt%. Apatite grains classified as mafic-intermediate show a negative gradient on a chondrite-normalized REE plot from light to heavy REEs. The apatite grains of this group generally show the most enrichment in REEs compared to chondrite 94 . The median europium (Eu/Eu*) of mafic-intermediate apatite is 0.62, a moderately negative anomaly.

Lastly, alkaline apatite grains 29 ( n  = 5 (4% of analyses)) are characterized by La/Nd > 1.5 and a (La + Ce + Pr)/ΣREE > 0.8. The median europium anomaly of this group is 0.45. This grouping also shows elevated chondrite-normalized Ce/Yb of >10 and >0.5 wt% for the ΣREEs.

Reporting summary

Further information on research design is available in the  Nature Portfolio Reporting Summary linked to this article.

Data availability

The isotopic and chemical data supporting the findings of this study are available within the paper and its supplementary information files.

Bevins, R. E. et al. Constraining the provenance of the Stonehenge ‘Altar Stone’: evidence from automated mineralogy and U–Pb zircon age dating. J. Archaeolog. Sci. 120 , 105188 (2020).

Article   CAS   Google Scholar  

Bevins, R. E. et al. The Stonehenge Altar Stone was probably not sourced from the Old Red Sandstone of the Anglo-Welsh Basin: time to broaden our geographic and stratigraphic horizons? J. Archaeolog. Sci. Rep. 51 , 104215 (2023).

Google Scholar  

Pearson, M. P. et al. in Stonehenge for the Ancestors: Part 2: Synthesis (eds Pearson, M. P. et al.) 47–75 (Sidestone Press, 2022).

Pitts, M. W. How to Build Stonehenge (Thames & Hudson, 2022).

Nash, D. J. et al. Origins of the sarsen megaliths at Stonehenge. Sci. Adv. 6 , eabc0133 (2020).

Article   ADS   CAS   PubMed   PubMed Central   Google Scholar  

Nash, D. J. et al. Petrological and geochemical characterisation of the sarsen stones at Stonehenge. PLoS ONE 16 , e0254760 (2021).

Article   CAS   PubMed   PubMed Central   Google Scholar  

Pearson, M. P. et al. Megalith quarries for Stonehenge’s bluestones. Antiquity 93 , 45–62 (2019).

Article   Google Scholar  

Pearson, M. P. et al. Craig Rhos-y-felin: a Welsh bluestone megalith quarry for Stonehenge. Antiquity 89 , 1331–1352 (2015).

Ixer, R., Turner, P., Molyneux, S. & Bevins, R. The petrography, geological age and distribution of the Lower Palaeozoic Sandstone debitage from the Stonehenge landscape. Wilts. Archaeol. Nat. Hist. Mag. 110 , 1–16 (2017).

Ixer, R. & Turner, P. A detailed re-examination of the petrography of the Altar Stone and other non-sarsen sandstones from Stonehenge as a guide to their provenance. Wilts. Archaeol. Nat. Hist. Mag. 99 , 1–9 (2006).

Ixer, R., Bevins, R. E., Pirrie, D., Turner, P. & Power, M. No provenance is better than wrong provenance: Milford Haven and the Stonehenge sandstones. Wilts. Archaeol. Nat. Hist. Mag. 113 , 1–15 (2020).

Thomas, H. H. The source of the stones of Stonehenge. The Antiq. J. 3 , 239–260 (1923).

Kendall, R. S. The Old Red Sandstone of Britain and Ireland—a review. Proc. Geol. Assoc. 128 , 409–421 (2017).

Woodcock, N., Holdsworth, R. E. & Strachan, R. A. in Geological History of Britain and Ireland (eds Woodcock, N. & Strachan, R. A.) Ch. 6 91–109 (Wiley-Blackwell, 2012).

Pearson, M. P., Pollard, J., Richards, C., Thomas, J. & Welham, K. Stonehenge: Making Sense of a Prehistoric Mystery (Council for British Archaeology, 2015).

Shewan, L. et al. Dating the megalithic culture of laos: Radiocarbon, optically stimulated luminescence and U/Pb zircon results. PLoS ONE 16 , e0247167 (2021).

Kelloway, S. et al. Sourcing olive jars using U–Pb ages of detrital zircons: a study of 16th century olive jars recovered from the Solomon Islands. Geoarchaeology 29 , 47–60 (2014).

Barham, M. et al. The answers are blowin’ in the wind: ultra-distal ashfall zircons, indicators of Cretaceous super-eruptions in eastern Gondwana. Geology 44 , 643–646 (2016).

Article   ADS   CAS   Google Scholar  

Gillespie, J., Glorie, S., Khudoley, A. & Collins, A. S. Detrital apatite U–Pb and trace element analysis as a provenance tool: Insights from the Yenisey Ridge (Siberia). Lithos 314–315 , 140–155 (2018).

Article   ADS   Google Scholar  

Fairey, B. J. et al. The provenance of the Devonian Old Red Sandstone of the Dingle Peninsula, SW Ireland; the earliest record of Laurentian and peri-Gondwanan sediment mixing in Ireland. J. Geol. Soc. 175 , 411–424 (2018).

Bevins, R. E. et al. Assessing the authenticity of a sample taken from the Altar Stone at Stonehenge in 1844 using portable XRF and automated SEM-EDS. J. Archaeol. Sci. Rep. 49 , 103973 (2023).

Bevins, R. E. et al. Linking derived debitage to the Stonehenge Altar Stone using portable X-ray fluorescence analysis. Mineral. Mag. 86 , 688–700 (2022).

Morton, A. C., Chisholm, J. I. & Frei, D. Provenance of Carboniferous sandstones in the central and southern parts of the Pennine Basin, UK: evidence from detrital zircon ages. Proc. York. Geol. Soc. 63 , https://doi.org/10.1144/pygs2020-010 (2021).

Cawood, P. A., Nemchin, A. A., Strachan, R., Prave, T. & Krabbendam, M. Sedimentary basin and detrital zircon record along East Laurentia and Baltica during assembly and breakup of Rodinia. J. Geol. Soc. 164 , 257–275 (2007).

Strachan, R. A., Olierook, H. K. H. & Kirkland, C. L. Evidence from the U–Pb–Hf signatures of detrital zircons for a Baltican provenance for basal Old Red Sandstone successions, northern Scottish Caledonides. J. Geol. Soc. 178 , https://doi.org/10.1144/jgs2020-241 (2021).

Stevens, T. & Baykal, Y. Detrital zircon U–Pb ages and source of the late Palaeocene Thanet Formation, Kent, SE England. Proc. Geol. Assoc. 132 , 240–248 (2021).

O’Sullivan, G., Chew, D. M., Kenny, G., Heinrichs, I. & Mulligan, D. The trace element composition of apatite and its application to detrital provenance studies. Earth Sci. Rev. 201 , 103044 (2020).

Oliver, G., Wilde, S. & Wan, Y. Geochronology and geodynamics of Scottish granitoids from the late Neoproterozoic break-up of Rodinia to Palaeozoic collision. J. Geol. Soc. 165 , 661–674 (2008).

Fleischer, M. & Altschuler, Z. S. The lanthanides and yttrium in minerals of the apatite group-an analysis of the available data. Neu. Jb. Mineral. Mh. 10 , 467–480 (1986).

Goodenough, K. M., Millar, I., Strachan, R. A., Krabbendam, M. & Evans, J. A. Timing of regional deformation and development of the Moine Thrust Zone in the Scottish Caledonides: constraints from the U–Pb geochronology of alkaline intrusions. J. Geol. Soc. 168 , 99–114 (2011).

Stacey, J. S. & Kramers, J. D. Approximation of terrestrial lead isotope evolution by a two-stage model. Earth Planet. Sci. Lett. 26 , 207–221 (1975).

Evans, J. A. et al. Applying lead (Pb) isotopes to explore mobility in humans and animals. PLoS ONE 17 , e0274831 (2022).

Morton, A., Knox, R. & Frei, D. Heavy mineral and zircon age constraints on provenance of the Sherwood Sandstone Group (Triassic) in the eastern Wessex Basin, UK. Proc. Geol. Assoc. 127 , 514–526 (2016).

Morton, A., Hounslow, M. W. & Frei, D. Heavy-mineral, mineral-chemical and zircon-age constraints on the provenance of Triassic sandstones from the Devon coast, southern Britain. Geologos 19 , 67–85 (2013).

Phillips, E. R., Smith, R. A., Stone, P., Pashley, V. & Horstwood, M. Zircon age constraints on the provenance of Llandovery to Wenlock sandstones from the Midland Valley terrane of the Scottish Caledonides. Scott. J. Geol. 45 , 131–146 (2009).

McKellar, Z., Hartley, A. J., Morton, A. C. & Frei, D. A multidisciplinary approach to sediment provenance analysis of the late Silurian–Devonian Lower Old Red Sandstone succession, northern Midland Valley Basin, Scotland. J. Geol. Soc. 177 , 297–314 (2019).

Beranek, L. P., Gee, D. G. & Fisher, C. M. Detrital zircon U–Pb–Hf isotope signatures of Old Red Sandstone strata constrain the Silurian to Devonian paleogeography, tectonics, and crustal evolution of the Svalbard Caledonides. GSA Bull. 132 , 1987–2003 (2020).

John, B. The Stonehenge Bluestones (Greencroft Books, 2018).

John, B. The Stonehenge bluestones did not come from Waun Mawn in West Wales. The Holocene https://doi.org/10.1177/09596836241236318 (2024).

Clark, C. D. et al. Growth and retreat of the last British–Irish Ice Sheet, 31 000 to 15 000 years ago: the BRITICE-CHRONO reconstruction. Boreas 51 , 699–758 (2022).

Gibbard, P. L. & Clark, C. D. in Developments in Quaternary Sciences , Vol. 15 (eds Ehlers, J. et al.) 75–93 (Elsevier, 2011).

Bevins, R., Ixer, R., Pearce, N., Scourse, J. & Daw, T. Lithological description and provenancing of a collection of bluestones from excavations at Stonehenge by William Hawley in 1924 with implications for the human versus ice transport debate of the monument’s bluestone megaliths. Geoarchaeology 38 , 771–785 (2023).

Snoeck, C. et al. Strontium isotope analysis on cremated human remains from Stonehenge support links with west Wales. Sci. Rep. 8 , 10790 (2018).

Article   ADS   PubMed   PubMed Central   Google Scholar  

Viner, S., Evans, J., Albarella, U. & Pearson, M. P. Cattle mobility in prehistoric Britain: strontium isotope analysis of cattle teeth from Durrington Walls (Wiltshire, Britain). J. Archaeolog. Sci. 37 , 2812–2820 (2010).

Evans, J. A., Chenery, C. A. & Fitzpatrick, A. P. Bronze Age childhood migration of individuals near Stonehenge, revealed by strontium and oxygen isotope tooth enamel analysis. Archaeometry 48 , 309–321 (2006).

Bradley, R. Beyond the bluestones: links between distant monuments in Late Neolithic Britain and Ireland. Antiquity 98 , 821–828 (2024).

Bradley, R. Long distance connections within Britain and Ireland: the evidence of insular rock art. Proc. Prehist. Soc. 89 , 249–271 (2023).

Fairweather, A. D. & Ralston, I. B. M. The Neolithic timber hall at Balbridie, Grampian Region, Scotland: the building, the date, the plant macrofossils. Antiquity 67 , 313–323 (1993).

Bayliss, A., Marshall, P., Richards, C. & Whittle, A. Islands of history: the Late Neolithic timescape of Orkney. Antiquity 91 , 1171–1188 (2017).

Parker Pearson, M. et al. in Megaliths and Geology (eds Bouventura, R. et al.) 151–169 (Archaeopress Publishing, 2020).

Pigière, F. & Smyth, J. First evidence for cattle traction in Middle Neolithic Ireland: A pivotal element for resource exploitation. PLoS ONE 18 , e0279556 (2023).

Article   PubMed   PubMed Central   Google Scholar  

Godwin, H. History of the natural forests of Britain: establishment, dominance and destruction. Philos. Trans. R. Soc. B 271 , 47–67 (1975).

ADS   Google Scholar  

Martínková, N. et al. Divergent evolutionary processes associated with colonization of offshore islands. Mol. Ecol. 22 , 5205–5220 (2013).

Bradley, R. & Edmonds, M. Interpreting the Axe Trade: Production and Exchange in Neolithic Britain (Cambridge Univ. Press, 2005).

Peacock, D., Cutler, L. & Woodward, P. A Neolithic voyage. Int. J. Naut. Archaeol. 39 , 116–124 (2010).

Pinder, A. P., Panter, I., Abbott, G. D. & Keely, B. J. Deterioration of the Hanson Logboat: chemical and imaging assessment with removal of polyethylene glycol conserving agent. Sci. Rep. 7 , 13697 (2017).

Harff, J. et al. in Submerged Landscapes of the European Continental Shelf: Quaternary Paleoenvironments (eds Flemming, N. C. et al.) 11–49 (2017).

Nordsvan, A. R., Kirscher, U., Kirkland, C. L., Barham, M. & Brennan, D. T. Resampling (detrital) zircon age distributions for accurate multidimensional scaling solutions. Earth Sci. Rev. 204 , 103149 (2020).

Ixer, R., Bevins, R. & Turner, P. Alternative Altar Stones? Carbonate-cemented micaceous sandstones from the Stonehenge landscape. Wilts. Archaeol. Nat. Hist. Mag. 112 , 1–13 (2019).

Paton, C., Hellstrom, J. C., Paul, B., Woodhead, J. D. & Hergt, J. M. Iolite: freeware for the visualisation and processing of mass spectrometric data. J. Anal. At. Spectrom. 26 , 2508–2518 (2011).

Vermeesch, P. IsoplotR: a free and open toolbox for geochronology. Geosci. Front. 9 , 1479–1493 (2018).

Jackson, S. E., Pearson, N. J., Griffin, W. L. & Belousova, E. A. The application of laser ablation-inductively coupled plasma-mass spectrometry to in situ U–Pb zircon geochronology. Chem. Geol. 211 , 47–69 (2004).

Sláma, J. et al. Plešovice zircon—A new natural reference material for U–Pb and Hf isotopic microanalysis. Chem. Geol. 249 , 1–35 (2008).

Wiedenbeck, M. et al. Three natural zircon standards for U-Th-Pb, Lu–Hf, trace element and REE analyses. Geostand. Newslett. 19 , 1–23 (1995).

Stern, R. A., Bodorkos, S., Kamo, S. L., Hickman, A. H. & Corfu, F. Measurement of SIMS instrumental mass fractionation of Pb isotopes during zircon dating. Geostand. Geoanal. Res. 33 , 145–168 (2009).

Marsh, J. H., Jørgensen, T. R. C., Petrus, J. A., Hamilton, M. A. & Mole, D. R. U-Pb, trace element, and hafnium isotope composition of the Maniitsoq zircon: a potential new Archean zircon reference material. Goldschmidt Abstr. 2019 , 18 (2019).

Vermeesch, P. On the treatment of discordant detrital zircon U–Pb data. Geochronology 3 , 247–257 (2021).

Gehrels, G. in Tectonics of Sedimentary Basins: Recent Advances (eds Busby, C. & Azor, A.) 45–62 (2011).

Vermeesch, P. How many grains are needed for a provenance study? Earth Planet. Sci. Lett. 224 , 441–451 (2004).

Dröllner, M., Barham, M., Kirkland, C. L. & Ware, B. Every zircon deserves a date: selection bias in detrital geochronology. Geol. Mag. 158 , 1135–1142 (2021).

Zutterkirch, I. C., Kirkland, C. L., Barham, M. & Elders, C. Thin-section detrital zircon geochronology mitigates bias in provenance investigations. J. Geol. Soc. 179 , jgs2021–070 (2021).

Morton, A., Waters, C., Fanning, M., Chisholm, I. & Brettle, M. Origin of Carboniferous sandstones fringing the northern margin of the Wales-Brabant Massif: insights from detrital zircon ages. Geol. J. 50 , 553–574 (2015).

Luvizotto, G. et al. Rutile crystals as potential trace element and isotope mineral standards for microanalysis. Chem. Geol. 261 , 346–369 (2009).

Zack, T. et al. In situ U–Pb rutile dating by LA-ICP-MS: 208 Pb correction and prospects for geological applications. Contrib. Mineral. Petrol. 162 , 515–530 (2011).

Dröllner, M., Barham, M. & Kirkland, C. L. Reorganization of continent-scale sediment routing based on detrital zircon and rutile multi-proxy analysis. Basin Res. 35 , 363–386 (2023).

Liebmann, J., Barham, M. & Kirkland, C. L. Rutile ages and thermometry along a Grenville anorthosite pathway. Geochem. Geophys. Geosyst. 24 , e2022GC010330 (2023).

Zack, T. & Kooijman, E. Petrology and geochronology of rutile. Rev. Mineral. Geochem. 83 , 443–467 (2017).

Thompson, J. et al. Matrix effects in Pb/U measurements during LA-ICP-MS analysis of the mineral apatite. J. Anal. At. Spectrom. 31 , 1206–1215 (2016).

Schmitz, M. D., Bowring, S. A. & Ireland, T. R. Evaluation of Duluth Complex anorthositic series (AS3) zircon as a U–Pb geochronological standard: new high-precision isotope dilution thermal ionization mass spectrometry results. Geochim. Cosmochim. Acta 67 , 3665–3672 (2003).

Schoene, B. & Bowring, S. U–Pb systematics of the McClure Mountain syenite: thermochronological constraints on the age of the 40 Ar/ 39 Ar standard MMhb. Contrib. Mineral. Petrol. 151 , 615–630 (2006).

Thomson, S. N., Gehrels, G. E., Ruiz, J. & Buchwaldt, R. Routine low-damage apatite U–Pb dating using laser ablation-multicollector-ICPMS. Geochem. Geophys. Geosyst. 13 , https://doi.org/10.1029/2011GC003928 (2012).

Barfod, G. H., Krogstad, E. J., Frei, R. & Albarède, F. Lu–Hf and PbSL geochronology of apatites from Proterozoic terranes: a first look at Lu–Hf isotopic closure in metamorphic apatite. Geochim. Cosmochim. Acta 69 , 1847–1859 (2005).

McDowell, F. W., McIntosh, W. C. & Farley, K. A. A precise 40 Ar– 39 Ar reference age for the Durango apatite (U–Th)/He and fission-track dating standard Chem. Geol. 214 , 249–263 (2005).

Kirkland, C. L. et al. Apatite: a U–Pb thermochronometer or geochronometer? Lithos 318-319 , 143–157 (2018).

Simpson, A. et al. In-situ Lu Hf geochronology of garnet, apatite and xenotime by LA ICP MS/MS. Chem. Geol. 577 , 120299 (2021).

Glorie, S. et al. Robust laser ablation Lu–Hf dating of apatite: an empirical evaluation. Geol. Soc. Lond. Spec. Publ. 537 , 165–184 (2024).

Norris, C. & Danyushevsky, L. Towards estimating the complete uncertainty budget of quantified results measured by LA-ICP-MS. Goldschmidt Abstr. 2018 , 1894 (2018).

Nebel, O., Morel, M. L. A. & Vroon, P. Z. Isotope dilution determinations of Lu, Hf, Zr, Ta and W, and Hf isotope compositions of NIST SRM 610 and 612 glass wafers. Geostand. Geoanal. Res. 33 , 487–499 (2009).

Kharkongor, M. B. K. et al. Apatite laser ablation LuHf geochronology: A new tool to date mafic rocks. Chem. Geol. 636 , 121630 (2023).

Glorie, S. et al. Detrital apatite Lu–Hf and U–Pb geochronology applied to the southwestern Siberian margin. Terra Nova 34 , 201–209 (2022).

Spencer, C. J., Kirkland, C. L., Roberts, N. M. W., Evans, N. J. & Liebmann, J. Strategies towards robust interpretations of in situ zircon Lu–Hf isotope analyses. Geosci. Front. 11 , 843–853 (2020).

Jochum, K. P. et al. GeoReM: a new geochemical database for reference materials and isotopic standards. Geostand. Geoanal. Res. 29 , 333–338 (2005).

Janousek, V., Farrow, C. & Erban, V. Interpretation of whole-rock geochemical data in igneous geochemistry: introducing Geochemical Data Toolkit (GCDkit). J. Petrol. 47 , 1255–1259 (2006).

Boynton, W. V. in Developments in Geochemistry , Vol. 2 (ed. Henderson, P.) 63–114 (Elsevier, 1984).

Landing, E., Keppie, J. D., Keppie, D. F., Geyer, G. & Westrop, S. R. Greater Avalonia—latest Ediacaran–Ordovicia “peribaltic” terrane bounded by continental margin prisms (“Ganderia”, Harlech Dome, Meguma): review, tectonic implications, and paleogeography. Earth Sci. Rev. 224 , 103863 (2022).

Download references

Acknowledgements

Funding was provided by an Australian Research Council Discovery Project (DP200101881). Sample material was loaned from the Salisbury Museum and Amgueddfa Cymru–Museum Wales and sampled with permission. The authors thank A. Green for assistance in accessing the Salisbury Museum material; B. McDonald, N. Evans, K. Rankenburg and S. Gilbert for their help during isotopic analysis; and P. Sampaio for assistance with statistical analysis. Instruments in the John de Laeter Centre, Curtin University, were funded via AuScope, the Australian Education Investment Fund, the National Collaborative Research Infrastructure Strategy, and the Australian Government. R.E.B. acknowledges a Leverhulme Trust Emeritus Fellowship.

Author information

Authors and affiliations.

Timescales of Mineral Systems Group, School of Earth and Planetary Sciences, Curtin University, Perth, Western Australia, Australia

Anthony J. I. Clarke & Christopher L. Kirkland

Department of Geography and Earth Sciences, Aberystwyth University, Aberystwyth, UK

Richard E. Bevins & Nick J. G. Pearce

Department of Earth Sciences, The University of Adelaide, Adelaide, South Australia, Australia

Stijn Glorie

Institute of Archaeology, University College London, London, UK

Rob A. Ixer

You can also search for this author in PubMed   Google Scholar

Contributions

A.J.I.C.: writing, original draft, formal analysis, investigation, visualization, project administration, conceptualization and methodology. C.L.K.: supervision, resources, formal analysis, funding acquisition, writing, review and editing, conceptualization and methodology. R.E.B.: writing, review and editing, resources and conceptualization. N.J.G.P.: writing, review and editing, resources and conceptualization. S.G.: resources, formal analysis, funding acquisition, writing, review and editing, supervision, and methodology. R.A.I.: writing, review and editing.

Corresponding author

Correspondence to Anthony J. I. Clarke .

Ethics declarations

Competing interests.

The authors declare no competing interests.

Peer review

Peer review information.

Nature thanks Tim Kinnaird and the other, anonymous, reviewer(s) for their contribution to the peer review of this work. Peer review reports are available.

Additional information

Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Extended data figures and tables

Extended data fig. 1 geological maps of potential source terranes for the altar stone..

a , Schematic map of the North Atlantic region with the crystalline terranes in the Caledonian-Variscan orogens depicted prior to the opening of the North Atlantic, adapted after ref.  95 . b , Schematic map of Britain and Ireland, showing outcrops of Old Red Sandstone, basement terranes, and major faults with reference to Stonehenge.

Extended Data Fig. 2 Altar Stone zircon U–Pb data.

a , Tera-Wasserburg plot for all concordant (≤10% discordant) zircon analyses reported from three samples of the Altar Stone. Discordance is defined using the concordia log % distance approach, and analytical ellipses are shown at the two-sigma uncertainty level. The ellipse colour denotes the sample. Replotted isotopic data for thin-section FN593 is from ref. 1 . b , Kernel density estimate for concordia U–Pb ages of concordant zircon from the Altar Stone, using a kernel and histogram bandwidth of 50 Ma. Fifty-six concordant analyses are shown from 113 measurements. A rug plot is given below the kernel density estimate, marking the age of each measurement.

Extended Data Fig. 3 Comparative kernel density estimates of concordant zircon concordia ages from the Altar Stone, crystalline sources terranes, and comparative sedimentary rock successions.

Each plot uses a kernel and histogram bandwidth of 50 Ma. The zircon U–Pb geochronology source for each comparative dataset is shown with their respective kernel density estimate. Zircon age data for basement terranes (right side of the plot) was sourced from refs. 20 , 26 .

Extended Data Fig. 4 Plots of rutile U–Pb ages.

a , Tera-Wasserburg plot of rutile U–Pb analyses from the Altar Stone (thin-section MS3). Isotopic data is shown at the two-sigma uncertainty level. b , Kernel density estimate for Group 2 rutile 207 Pb corrected 206 Pb/ 238 U ages, using a kernel and histogram bandwidth of 25 Ma. The rug plot below the kernel density estimate marks the age for each measurement.

Extended Data Fig. 5 Apatite Tera-Wasserburg U–Pb plots for the Altar Stone and Orcadian Basin.

a , Altar Stone apatite U–Pb analyses from thin-section MS3. b , Orcadian Basin apatite U–Pb analyses from sample AQ1, Spittal, Caithness. c , Orcadian Basin apatite U–Pb analyses from sample CQ1, Cruaday, Orkney. All data are shown as ellipses at the two-sigma uncertainty level. Regressions through U–Pb data are unanchored.

Extended Data Fig. 6 Combined kernel density estimate and histogram for apatite Lu–Hf single-grain ages from the Altar Stone.

Lu–Hf apparent ages from thin-section 2010K.240. Kernel and histogram bandwidth of 50 Ma. The rug plot below the kernel density estimate marks each calculated age. Single spot ages are calculated assuming an initial average terrestrial 177 Hf/ 176 Hf composition (see  Methods ).

Extended Data Fig. 7 Apatite trace element classification plots for the Altar Stone thin-section MS3.

Colours for all plots follow the geochemical discrimination defined in A. a , Reference 29  classification plot for apatite with an inset pie chart depicting the compositional groupings based on these geochemical ratios. b , The principal component plot of geochemical data from apatite shows the main eigenvectors of geochemical dispersion, highlighting enhanced Nd and La in the distinguishing groups. Medians for each group are denoted with a cross. c , Plot of total rare earth elements (REE) (%) versus (Ce/Yb) n with Mahalanobis ellipses around compositional classification centroids. A P = 0.5 in Mahalanobis distance analysis represents a two-sided probability, indicating that 50% of the probability mass of the chi-squared distribution for that compositional grouping is contained within the ellipse. This probability is calculated based on the cumulative distribution function of the chi-squared distribution. d , Chondrite normalized REE plot of median apatite values for each defined apatite classification type.

Extended Data Fig. 8 Cumulative probability density function plot.

Cumulative probability density function plot of comparative Old Red Sandstone detrital zircon U–Pb datasets (concordant ages) versus the Altar Stone. Proximity between cumulative density probability lines implies similar detrital zircon age populations.

Supplementary information

Supplementary information 1.

Zircon, rutile, and apatite U–Pb data for the Altar Stone and Orcadian Basin samples. A ) Zircon U–Pb data for MS3, 2010K.240, and FN593. B ) Zircon U–Pb data for secondary references. C ) Rutile U–Pb data for MS3. D ) Rutile U–Pb data for secondary references. E ) Session 1 apatite U–Pb data for MS3. F ) Session 1 apatite U–Pb data for secondary references. G ) Session 2 apatite U–Pb data for Orcadian Basin samples. H ) Session 2 apatite U–Pb data for secondary references.

Reporting Summary

Peer review file, supplementary information 2.

Apatite Lu–Hf data for the Altar Stone. A) Apatite Lu–Hf isotopic data and ages for thin-section 2010K.240. B) Apatite Lu–Hf data for secondary references.

Supplementary Information 3

Apatite trace elements for the Altar Stone. A) Apatite trace element data for MS3. B) Apatite trace element secondary reference values.

Supplementary Information 4–8

Supplementary Information 4 : Summary of analyses. Summary table of analyses undertaken in this work on samples from the Altar Stone and the Orcadian Basin. Supplementary Information 5: Summary of zircon U–Pb reference material. A summary table of analyses was obtained for zircon U–Pb secondary reference material run during this work. Supplementary Information 6: Kolmogorov–Smirnov test results. Table of D and P values for the Kolmogorov–Smirnov test on zircon ages from the Altar Stone and potential source regions. Supplementary Information 7: Kolmogorov–Smirnov test results, with Monte Carlo resampling. Table of D and P values for the Kolmogorov–Smirnov test (with Monte Carlo resampling) on zircon ages from the Altar Stone and potential source regions. Supplementary Information 8: Summary of apatite U–Pb reference material. A summary table of analyses was obtained for the apatite U–Pb secondary reference material run during this work.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/ .

Reprints and permissions

About this article

Cite this article.

Clarke, A.J.I., Kirkland, C.L., Bevins, R.E. et al. A Scottish provenance for the Altar Stone of Stonehenge. Nature 632 , 570–575 (2024). https://doi.org/10.1038/s41586-024-07652-1

Download citation

Received : 16 December 2023

Accepted : 03 June 2024

Published : 14 August 2024

Issue Date : 15 August 2024

DOI : https://doi.org/10.1038/s41586-024-07652-1

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

This article is cited by

Stonehenge’s enigmatic centre stone was hauled 800 kilometres from scotland.

• Nisha Gaind

Nature (2024)

By submitting a comment you agree to abide by our Terms and Community Guidelines . If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.

Quick links

• Explore articles by subject
• Guide to authors
• Editorial policies

Sign up for the Nature Briefing newsletter — what matters in science, free to your inbox daily.

Cell size and selection for stress-induced binary cell fusion

• Find this author on Google Scholar
• Find this author on PubMed
• Search for this author on this site
• ORCID record for Xiaoyuan Liu
• For correspondence: [email protected]
• Info/History
• Preview PDF

In unicellular organisms, sexual reproduction typically begins with the fusion of two cells (plasmogamy) followed by the fusion of their two haploid nuclei (karyogamy) and finally meiosis. Most work on the evolution of sexual reproduction focuses on the benefits of the genetic recombination that takes place during meiosis. However, the selection pressures that may have driven the early evolution of binary cell fusion, which sets the stage for the evolution of karyogamy by bringing nuclei together in the same cell, have seen less attention. In this paper we develop a model for the coevolution of cell size and binary cell fusion rate. The model assumes that larger cells experience a survival advantage from their larger cytoplasmic volume. We find that under favourable environmental conditions, populations can evolve to produce larger cells that undergo obligate binary cell fission. However, under challenging environmental conditions, populations can evolve to subsequently produce smaller cells under binary cell fission that nevertheless retain a survival advantage by fusing with other cells. The model thus parsimoniously recaptures the empirical observation that sexual reproduction is typically triggered by adverse environmental conditions in many unicellular eukaryotes and draws conceptual links to the literature on the evolution of multicellularity.

Competing Interest Statement

The authors have declared no competing interest.

View the discussion thread.

Thank you for your interest in spreading the word about bioRxiv.

NOTE: Your email address is requested solely to identify you as the sender of this article.

Citation Manager Formats

• EndNote (tagged)
• EndNote 8 (xml)
• RefWorks Tagged
• Ref Manager
• Tweet Widget
• Facebook Like
• Google Plus One

Subject Area

• Evolutionary Biology
• Animal Behavior and Cognition (5531)
• Biochemistry (12581)
• Bioengineering (9464)
• Bioinformatics (30873)
• Biophysics (15871)
• Cancer Biology (12949)
• Cell Biology (18546)
• Clinical Trials (138)
• Developmental Biology (10016)
• Ecology (14995)
• Epidemiology (2067)
• Evolutionary Biology (19181)
• Genetics (12753)
• Genomics (17563)
• Immunology (12705)
• Microbiology (29751)
• Molecular Biology (12388)
• Neuroscience (64830)
• Paleontology (479)
• Pathology (2008)
• Pharmacology and Toxicology (3463)
• Physiology (5343)
• Plant Biology (11110)
• Scientific Communication and Education (1729)
• Synthetic Biology (3065)
• Systems Biology (7695)
• Zoology (1731)

To read this content please select one of the options below:

Please note you do not have access to teaching notes, the effect of tailored reciprocity on information provision in an investigative interview.

Journal of Criminal Psychology

ISSN : 2009-3829

Article publication date: 19 August 2024

In their study of reciprocity in investigative interviews, Matsumoto and Hwang (2018) found that offering interviewees water prior to the interview enhanced observer-rated rapport and positively affected information provision. This paper aims to examine whether tailoring the item towards an interviewee’s needs would further enhance information provision. This paper hypothesised that interviewees given a relevant item prior to the interview would disclose more information than interviewees given an irrelevant item or no item.

Design/methodology/approach

Participants ( n = 85) ate pretzels to induce thirst, engaged in a cheating task with a confederate and were interviewed about their actions after receiving either no item, an irrelevant item to their induced thirst (pen and paper) or a relevant item (water).

This paper found that receiving a relevant item had a significant impact on information provision, with participants who received water providing the most details, and significantly more than participants that received no item.

Research limitations/implications

The findings have implications for obtaining information during investigative interviews and demonstrate a need for research on the nuances of social reciprocity in investigative interviewing.

Practical implications

Originality/value.

To the best of the authors’ knowledge, this study is the first to experimentally test the effect of different item types upon information provision in investigative interviews.

• Reciprocity
• Information provision
• Investigative interview
• Suspect interviewing

Acknowledgements

Funding : The authors would like to acknowledge funding provided by the Centre for Research and Evidence on Security Threats (ESRC Award: ES/N009614/1). CREST is funded in part by the UK Home Office and security and intelligence agencies. The funding arrangements required this paper to be reviewed to ensure that its contents did not violate the Official Secrets Act nor disclose sensitive, classified, and/or personal information. The authors have no known conflict of interest to disclose.

Weiher, L. , Winters, C. , Taylor, P. , Luther, K. and Watson, S.J. (2024), "The effect of tailored reciprocity on information provision in an investigative interview", Journal of Criminal Psychology , Vol. ahead-of-print No. ahead-of-print. https://doi.org/10.1108/JCP-01-2024-0004

Emerald Publishing Limited

Copyright © 2024, Emerald Publishing Limited

Related articles

All feedback is valuable.

Please share your general feedback

Report an issue or find answers to frequently asked questions

Contact Customer Support

UGC NET June 2024 Re-exam Not In Pen & Paper Mode, Check New Exam Pattern

Published By : Sukanya Nandy

Trending Desk

Last Updated: August 18, 2024, 11:07 IST

New Delhi, India

The UGC NET 2024 will take place from August 21 in two shifts -- from 9:30 AM to 12:30 PM and 3 PM to 6 PM (Representational/ File Photo)

NTA has officially confirmed the shift to CBT mode from the earlier offline mode. This change marks a return to the conventional CBT format used by the agency in previous years for the UGC NET examination

The National Testing Agency (NTA) has declared that the re-examination of the UGC NET June 2024 cycle will be conducted online in a Computer-Based Test (CBT) mode. Initially, the exam was conducted by the NTA on June 18 but it was later cancelled by the Ministry of Education. The Education Ministry on June 19 announced that the cancellation of the pen-and-paper UGC NET is due to the possibility of a paper leak. It was eventually discovered that the question paper had been circulated over the dark web two days prior to the test.

During the announcement of the re-examination, the NTA officially confirmed the shift to CBT mode from the earlier offline mode. This change marks a return to the conventional CBT format used by the agency in previous years for the UGC NET examination. The official notice by NTA reads, “The UGC NET June 2024 Cycle examination was previously conducted in Pen & Paper (offline) mode. However, it will now be held in the Computer-Based Test (CBT) mode.”

The exam will take place from August 21 in two shifts — from 9:30 AM to 12:30 PM and 03:00 PM to 6:00 PM. The examination serves as a gateway for multiple purposes such as qualification for a Junior Research Fellowship (JRF), Assistant Professorship, and PhD admissions. Earlier this year, the NTA had initially deviated from this convention by scheduling the June exam in a pen-and-paper format for a single day.

Talking about the exam pattern, the UGC NET exam 2024 comprises two papers: Paper 1 and Paper 2, worth 300 marks. Both papers encompass objective-type, featuring multiple-choice questions (MCQs). Applicants have three hours (180 minutes) to complete both papers. Paper 1 includes 50 questions, while Paper 2 comprises 100 questions, amounting to a total of 150 questions. Notably, there is no negative marking for incorrect responses in the UGC NET exam.

The UGC NET 2024 exam will be conducted online, with question papers available in both English and Hindi. Paper 1 is designed to assess a candidate’s teaching and research aptitude, with questions focusing on reasoning ability, including mathematics, comprehension, Logical Reasoning, Data Interpretation, Information and Communication Technology (ICT), divergent thinking, and general awareness.

• UGC-NET exam

• Security Measures
• Computer Science and Engineering
• Computer Security and Reliability
• Penetration Testing

Penetration Testing and Vulnerability Assessment

• August 2017

• Clarkson University
• This person is not on ResearchGate, or hasn't claimed this research yet.

• University of Stavanger (UiS)

Abstract and Figures

Discover the world's research

• 25+ million members
• 160+ million publication pages
• 2.3+ billion citations

• Panos Dimitrellos

• Selena Firmin

• Odede Blessing
• Isaac Martins

• Bekti Cahyo Hidayanto
• Izzat Aulia Akbar
• Achmad Zaenuri Dahlan Putra
• Thomas M. Chen

• Mohyi E Kettouche
• Tariq Ahmed
• Hussain Aziz Ahmed

• Sajjan Singh Nehal
• S. MD. K. N. U. Affan Ahamed
• Vinay Mathew Wilson

• Sachin Malayath Jose

• GOVIND KUMAR GUPTA
• Jai Narayan Goel

• Aileen G Bacudio
• Xiaohong Yuan

• Monique Jones

• Marri Rami Reddy
• Prashanth Yalla
• Sugandh Shah
• Matthew Finifter
• Devdatta Akhawe
• David Wagner
• INFORM SOFTWARE TECH
• Andrew Austin
• Casper Holmgreen
• Laurie Williams
• Elie Bursztein
• Divij Gupta
• John C. Mitchell
• Recruit researchers
• Join for free
• Login Email Tip: Most researchers use their institutional email address as their ResearchGate login Password Forgot password? Keep me logged in Log in or Continue with Google Welcome back! Please log in. Email · Hint Tip: Most researchers use their institutional email address as their ResearchGate login Password Forgot password? Keep me logged in Log in or Continue with Google No account? Sign up