For many years the status quo when it comes to penetration testing and vulnerability assessments seems to be to scan for external vulnerabilities and do a penetration test on the firewall(s). This has been ingrained for years in the minds of many companies, IT Management, Information Security Officers, CIO's and Network Admins as "best practice" for the security of their network.
And while this approach isn't a bad one, it's a bit outdated and it fails to address the fact that most threats today are parachuting directly inside the network via wireless, phishing emails, vishing, exploiting servers (Ransomware, Cryptojacking) or other treats that completely circumvent the perimeter network.
The main objective of penetration testing is to identify security holes to your external, internal, wireless, physical access weaknesses and staff.
Penetration testing can also be used to test an organization's IT Department security policies and their adherence to compliance requirements, its employees' security awareness and the organization's ability to identify and respond to security incidents.