The paper discusses foundations and requirements for testing security robustness aspects in operational environments while adhering to deﬁned protection values for data. It deﬁnes the problem space and special characteristics of security testing in large IT infrastructures. In this area there are different environments with varying characteristics, e.g., regarding conﬁdentiality of data. Common environments based on an existing IT project are deﬁned. Testing in dedicated test environments is state of the art, however, sometimes this is not sufﬁcient and testing in operational environments is required. Case studies showed many restrictions in the security test process, e.g., limited access for testers, which have to be addressed. The problems of testing in these operational environments are pointed out. Experiences and some current solution approaches for testing these special environments are shown (e.g., usage of disaster/recovery mechanism).