This Google Cloud Platform security best practice is part of the Vulnerability and Threat Management security domain.

Vulnerabilities for their impact on identified risks shall be analyzed. Technical vulnerabilities shall be aligned with / inform risks in the risk register and the effectiveness of controls. Customer to integrate with their risk management solution.

Regularly scheduled penetration testing of it’s perimeter and public-facing environment shall be conducted.

As customers plan to evaluate the security of their GCP infrastructure with penetration testing, they are not required to contact Google to begin testing.
Customers will have to abide by the Cloud Platform Acceptable Use Policy and the Terms of Service and ensure that tests only affect their projects (and not other customers’ applications). If a vulnerability is found, Customers can report it via the Vulnerability Reward Program.