What Is Proof of Concept (PoC)?
TL;DR: A proof of concept (PoC) is a small-scale demonstration built to answer one question: does this actually work? It's not a finished product — it's the minimum effort needed to prove that an idea, a technical approach, or a security vulnerability is real before anyone invests further time or money into it. In cybersecurity specifically, a PoC usually refers to a working demonstration that a reported vulnerability can actually be exploited, not just theorized about.
What a Proof of Concept Actually Is
A proof of concept exists to de-risk a decision before real resources go into it. Rather than building a full product, feature, or fix and hoping it works, a PoC tests the riskiest or most uncertain assumption first, in the cheapest way possible. If the core idea doesn't hold up, that gets discovered at the PoC stage — not after months of full development.
This is why a PoC is judged on a narrow question rather than overall polish: does the underlying mechanism, approach, or claim actually work? Everything else — user experience, scalability, edge cases — is deliberately out of scope at this stage.
Proof of Concept vs. Prototype vs. MVP
These three terms get used interchangeably, but they answer different questions:
- Proof of concept answers "does this work at all?" It's typically not user-facing and isn't meant to be shown to customers — it's an internal or technical validation step.
- Prototype answers "what would this look and feel like?" It's a rougher, often non-functional model built to test usability, design direction, or workflow, once the underlying concept is already validated.
- Minimum viable product (MVP) answers "will people actually use and pay for this?" It's a working, if limited, version of the real product released to real users to test market demand.
The typical order is PoC first, then prototype, then MVP — though not every project needs all three depending on what's already known and what's actually uncertain.
What a Strong Proof of Concept Includes
- A clearly defined objective. What specific question or assumption is this PoC meant to answer — nothing broader.
- Success criteria set in advance. What result would count as "this works" versus "this doesn't," decided before the PoC is built, not after.
- A limited, controlled scope. Enough to test the core mechanism, and no more — a PoC that tries to also solve for scale, edge cases, or polish stops being a PoC.
- Documented results. A record of what was tested, what happened, and what it does or doesn't prove — this is what gets used to justify (or kill) further investment.
Proof of Concept in Cybersecurity
In a security context, "PoC" carries a more specific meaning: it's a working demonstration that a reported vulnerability is real and exploitable, not just a theoretical concern. When a bug bounty researcher submits a finding, a PoC is usually what separates a report that gets taken seriously from one that gets closed as unverifiable.
A strong security PoC typically shows:
- The exact steps or payload needed to trigger the vulnerability
- The concrete impact — what an attacker actually gains (data access, privilege escalation, funds at risk), not just that a flag was technically tripped
- Reproducibility — enough detail that the receiving security team can independently confirm the issue themselves
This is also where PoCs require careful handling: a PoC should demonstrate that an exploit works without being weaponized into something ready for real-world misuse. Responsible disclosure practice generally means sharing enough proof to validate the finding with the affected party privately, not publishing exploit code before a fix is in place.
Conclusion
A proof of concept is deliberately unglamorous — it's not meant to impress anyone, only to answer whether an idea or a vulnerability is real before anyone commits further resources to it. Whether it's validating a new technical approach or proving a reported bug is genuinely exploitable, the same principle holds: prove the core claim first, cheaply, before building or fixing anything further.