An organization is evaluating its network security posture. As part of a threat assessment, which of the following activities would BEST help the organization identify a potential attacker's ability to exploit a publicly disclosed software vulnerability, assuming the attacker's perspective?
Auditing user rights and permissions
Conducting a penetration test
Performing a vulnerability assessment
Reviewing security policies and documentation