DoS testing verifies application availability under attack conditions — testing rate limiting effectiveness, service degradation, and recovery. Requires explicit, specific authorization.
DoS testing authorization must be very specific: exact systems, attack types, timing, impact acceptance. Never DoS test without written approval including acceptable impact thresholds. Application-layer DoS (slowloris, HTTP flood) is often more revealing than volumetric — tests application resilience specifically.