Definition of a goal is required to determine the measure of success! When is a penetration test successful? Is the test successful if access could be obtained to a sensitive document? Should the team have been able to change the document? Is the test successful if the team could crash the system?
The answers to these questions depend on the security aspect the customer is interested in: confidentiality, integrity, availability or a combination of these aspects.
Most of the tests focus on confidentiality and integrity and the test is successful if unauthorized access has been obtained to sensitive data.
Recently there has been more interest in the availability of systems. A typical test that focuses on this security aspect is the "Denial Of Service (DOS) Test". However it appears to be very difficult to protect systems against DOS attacks especially if these attacks are done from many systems at once (DDOS) and if the bandwidth of the customer is limited.
It is also important to specify whether the objective of the test is to prove whether or not it is possible to get access to a network or system ("Evidential Test") or that the objective is to identify all vulnerabilities in a system that can be found within a given period. The latter is the one that is most frequently used.