Which activity is not described as part of cybersecurity auditing?

In cybersecurity auditing, the focus is on evaluating whether security controls are properly designed and operating effectively, using evidence gathered from documentation reviews, interviews, and testing of how controls perform. Penetration testing, on the other hand, is an offensive security activity that simulates real-world attacks to discover vulnerabilities by attempting to breach systems. While the results of a penetration test can inform an overall security program, the act of actively exploiting systems is not typically described as part of the auditing process itself. Auditors aim to validate that controls exist and function as intended and to identify gaps or blind spots, rather than to exploit defenses to break in. Independent assessment, validating controls, and identifying blind spots all align with audit objectives, making them standard auditing activities.