Complete 2021 Guide: Types of Penetration Testing

By Phoebe Fasulo

Posted on Mar 15, 2021

As cybercriminals continue to seek new methodologies for gaining access to mission-critical resources, organizations need to maintain their controls’ effectiveness. A single vulnerability can lead to a catastrophic data breach. For example, a single server with the default password still in use can give malicious actors a way to gain access to a company’s entire connected infrastructure. Most organizations engage in penetration testing to monitor whether their controls effectively protect data, but many types of pen testing exist so knowing what they do can give you a better understanding of how to protect information.

What is penetration testing?

Penetration testing, also called "pen testing" or "ethical hacking" is when an organization authorizes an internal team or third-party organization to simulate an attack on systems and sensitive data to detect security control vulnerabilities and weaknesses.

The people engaging in the simulation, often referred to as “pen testers,” try to “break into” a company’s systems, networks, and software by looking for vulnerabilities in the following areas:

  • Servers
  • Network endpoints
  • Wireless networks
  • Network security devices
  • Mobile and wireless devices
  • Web applications

Although pen testers are hired by an organization, they need to act like malicious actors which means they try to simulate the attack undetected. To do this, they often use the same attack methodologies as malicious actors, including:

  • Operating system backdoors
  • Misconfigurations in cloud-based applications and services
  • Social engineering tactics
  • Weak passwords or unencrypted passwords

Why is it important to define the scope for a pen test?

Since the pen test looks to find security vulnerabilities, organizations often start by defining the simulation’s scope. Setting the scope of the penetration test means defining the systems, software, networks, applications, databases, accounts, people, and physical security controls on which the pentester should focus.

Most organizations use their risk analyses to help define the scope. The highest risk assets should be included since real malicious actors will most likely target those first. However, you also need to consider low-risk assets that might allow someone to obtain unauthorized access and then move within your infrastructure.

For example, a corporate website may not be high risk from a data sensitivity point of view. However, if an administrator uses the same password for the website and privileged account, gaining access to the website would allow a malicious actor to use that information to gain privileged access to high-risk data or systems.

When setting the scope of the penetration test, some questions that can help include:

  • Is the test intended to determine how well current threat monitoring capabilities function or is it to locate a specific flawed internal process?
  • Is there a specific risk or set of risks that need to be addressed?
  • Is this to meet a compliance requirement?
  • Is this to test a new product?
  • Does the test need to happen within a certain time frame?
  • Are all the critical applications included?
  • Are all storage areas containing sensitive data included?
  • Will the test take place onsite or offsite?
  • How many IP addresses need to be included in the test?
  • Will the WAF/IDS make the test take longer?
  • Will the test be done in the production environment?

What are the different approaches to pen testing?

The scope of the pen test defines the approach the pen tester will take. To get a better understanding of how the two are related, it helps to understand the three main approaches to pen testing.

Black box

A black box test, also called external penetration testing, simulates a real-life cyber attack situation by providing the tester with no information about the target asset. Since cybercriminals rarely know a company’s network architecture or proprietary application code, black box testing can create the most authentic simulation. This approach is often used to determine how secure an application is.

Three prominent types of black box pen tests exist:

  • Functional testing: focuses on compliance with system requirements as part of quality assurance
  • Non-functional testing: focuses on performance metrics like reliability and scalability
  • Regression testing: focuses on ensuring code fixes, upgrades, or other maintenance requirements did not affect the underlying code

White box

White box testing, also called “clear box testing,” often supports other types of pen tests when an organization needs to improve a metric, suspects an area needs additional testing or needs to enhance security. Since the organization is looking for specific insight, it makes the code visible to the pen testers so that they verify the software for:

  • Security holes
  • Problems with structured paths
  • Flow of inputs
  • Expected outputs
  • Conditional loop functionality

The two most prominent types of white box testing are:

  • Unit testing: focuses on individual units or block of code as they are developed
  • Memory leak testing: focuses on quality assurance to speed up an application

Gray box

Gray box testing blends white and black box approaches by giving the pen testers some information about the application’s internal structure so that they can search and identify potential code defects. Often, gray box pen testing offers a better likelihood of detecting a security weakness than the other two approaches.

Unlike white and black box testing, grey box testing has no specific types associated with it.

How many types of penetration testing are there?

Each of these approaches to testing can be done across an array of areas. The scope that defines the purpose of the test will also include the type of test.

Network services

With connectivity a primary business need, companies need to ensure that they secure their networks, making this one of the most common testing types. The pen tester looks to find security weaknesses or vulnerabilities in the network infrastructure, including:

  • Servers
  • Firewall configurations
  • Firewall bypass
  • Stateful analysis
  • IPS evasion
  • Switches
  • Routers
  • Printers
  • Workstations

Additionally, the network pen test needs to examine the data that travels from an origin point to the designated destination. These data units, call packages, can include:

  • Secure shell (SSH)
  • SQL server
  • MySQL
  • Simple Mail Transfer Protocol (SMTP)
  • File Transfer Protocol (FTP)
  • Microsoft Outlook login pages

Process of penetration testing network services

First, network pen testers need to understand the organization’s digital footprint and assets. This includes looking for information on:

  • Social media
  • Search engines
  • Domains that the company registered and owns
  • Corporate website

Next, the tester does reconnaissance to discover live hosts and services by engaging in:

  • Port scanning
  • IP scanning
  • DNS lookup
  • Service fingerprinting
  • Service enumeration
  • Operating system identification.

Finally, the test discovers and exploits vulnerabilities by either manually engaging in or using automated tools for:

  • Service scanning
  • Vulnerability scanning
  • Manual checks
  • Vulnerability exploitation
  • Escalation of privileges
  • Account hash dumping
  • Shell code injection

Tools used in network penetration tests

Although some processes are manual, most pen testers also use automated tools. Some of the most used tools are:

  • Network mapper (NMAP): takes raw data packets so that the tester can pinpoint weaknesses
  • Metaspoit: a customizable tool with built-in exploits that also displays results for rapid analysis
  • Wireshark: network protocol and data packet analyzer that provides easy-to-read results
  • Zmap: free network scanner that gathers information

Web application

A web application penetration test uses manual or automated processes to simulate an attack against a web application to identify potential vulnerabilities, security weaknesses, or other ways that a malicious actor can gain unauthorized access. Organizations adopt web applications because they enable collaboration, especially for a remote workforce. However, they store, transmit, and process sensitive data and can leave that information publicly exposed if a coding error exists.

Companies developing software should engage in web application pen testing as part of the software development lifecycle (SDLC). Organizations that purchase Software-as-a-Service (SaaS) solutions should engage in web application testing as part of their vendor risk management due diligence processes.

Process of penetration testing web applications

First, pen testers need to engage in reconnaissance or information gathering. During this phase, two methods exist:

  • Passive reconnaissance: using publicly available information from the internet without directly interacting with the application
  • Active reconnaissance: simulating attacks by directly interacting with an application, often using scanners, cross-site scripting, or special requests that retrieve information

Second, pen testers use the information gathered to engage in threat modeling which means that they think about how to exploit the vulnerabilities discovered in the reconnaissance stage. The four stages of threat modeling are:

  • Diagramming: showing how the system is built
  • Threat enumeration: detailing the attack methodologies that can be used, such as SQL injection or cross-site scripting
  • Mitigation: detailing activities that might reduce risk
  • Verification: ensuring risk reduction activities occurred

Third, web application pen testers use their threat model to try to exploit vulnerabilities or flaws.

Fourth, web application pen testers write a business-level report detailing their findings and expressing their recommendations.

Finally, the organization prioritizes the risks discussed in the report to strategically remediate the weaknesses, starting with high priority risks.

Tools used in web application penetration tests

Some tools used in web application testing are the same as those used in network testing, but many are unique to this type of test. Additionally, pen testers use different tools for different steps in the process.

Reconnaissance tools

The passive and active reconnaissance phases use different tools because they provide different information.

Passive reconnaissance tools include:

  • Google: targeted searches such as “site:*” provide information about subdomains that might point to applications
  • Certificate transparency logs: give visibility into certificates issued by a domain that can show potential security issues
  • Security ratings platforms: scan publicly available information across multiple domains and return easy-to-read results
  • Spyse: enables you to input a domain and retrieve a list of subdomains with site titles and IP addresses
  • Watcher: a plug-in for Fiddler HTTP proxy that locates security bugs during development

Active reconnaissance tools include:

  • Burp suite: a proxy-based tool that enables hands-on testing to locate vulnerabilities
  • Hydra: password cracking tool used to simulate brute force attacks
  • Skipfish: web application scanner that provides an interactive site map that includes a list of active security checks
  • SQLMap: an open-source tool that detects application flaws that could lead to SQL attacks
  • W3af: open-source web application scanner that can detect SQL injection, cross-site scripting, guessable credentials, unhandled application errors, and PHP misconfiguration vulnerabilities
  • Wfuzz: a tool used to simulate brute force attacks

Exploit tools

The exploit phase goes beyond gathering information to start interacting with the web application.

Exploit tools include:

  • Hashcat: open-source password cracking tool that simulates brute force attacks
  • Powershell: Microsoft automation tool that can be used to simulate scripting attacks


In a client-side penetration test, pen testers look for vulnerabilities in the software on users’ workstations because they have legitimate access to the corporate network and also connect to the public internet. These tests are also referred to as “inside tests” because the pen testers do not need to try to break through network protections like firewalls as the devices are already connected to the target network.

Some examples of client-side software that cybercriminals can use for attacks include:

  • Internet explorer
  • Email
  • Web browsers like Firefox, Internet Explorer, and Chrome
  • ActiveX/Plugin
  • Java
  • Instant messaging applications
  • P2P/VOIP
  • Media players
  • Office Suite
  • Desktop search
  • Anti-virus software
  • File sharing applications

Since attacking workstations means bypassing more robust controls, cybercriminals continue to look for new vulnerabilities in these applications, making client-side pen tests more important than ever.

Process of client-side penetration testing

Similar to other types of pen testing, client-side tests begin with information gathering. As part of this, the testers engage in the following activities:

  • Spamming: attempting to harvest emails, similar to business email compromise attacks
  • User profiling: developing expected computer behaviors for groups of users to set as baselines for detecting anomalies
  • Passive fingerprinting: monitoring and capturing network traffic information for individual access points or devices for patterns that can indicate anomalies
  • Active fingerprinting: interacting with either a target person or entity by calling, emailing, or sending packets to software, devices, and systems with a network scanner

Second, the pen testers set up an attack simulation by selecting a target and customizing the attack. Since client-side tests focus on workstations inside the network, the pen testers need to focus more directly on who would be the target user type, what types of devices/software/systems would be targeted by malicious actors, and how the exploit would work.

Third, the pen testers deploy the attack simulation either by sending fake phishing emails or attempting to exploit the weakness they wanted to focus on based on their information gathering.

Tools used in client-side testing

Although many of the same tools used in other types of testing can be applied to client-side tests, the following are particularly effective for this type:

  • Browser Exploitation Framework (BeEF): a tool for locating client-side attack vectors by exploiting web browsers
  • CANVAS: automated exploit tool with pre-configured exploits


A wireless penetration test looks for vulnerabilities malicious actors can use to launch automated attacks against access points, such as switches, hubs, or devices. Vulnerabilities can include:

  • Misconfigured access points
  • Weak security protocols
  • Lack of encryption

Process of wireless penetration testing

First, pen testers need to engage in reconnaissance using a process called “War Driving,” where they drive a vehicle around a location to detect WiFi signals.

Second, they scan or identify networks and try to capture packets so they can start “listening” to wireless traffic.

Third, pen testers focus on finding vulnerabilities in WiFi access points by trying to authenticate to them.

Fourth, they exploit any vulnerabilities located in the WiFi access points by engaging in some of the following activities:

  • De-authenticating legitimate clients: disconnecting a device or server from the WiFi and monitoring its reconnection
  • Documenting information: gathering data about the connection, such as channel number, the time elapsed, MAC address
  • Attempting a dictionary attack: running automation to find client passwords

Tools used in wireless testing

Since wireless testing focuses on access points, it uses different types of tools than other penetration test types, including:

  • Aircrack: a set of command-line tools for monitoring, attacking, testing, and cracking WiFi networks
  • Airsnort: a tool for passively monitoring wireless transmissions and cracking encryption keys
  • Kismet: a tool that detects, sniffs, enables wardriving, provides a wireless intrusion detection (WIDS) framework, and works with WiFi interfaces and Bluetooth interfaces
  • NetStumbler: free Windows tool used for wardriving, verifying network configurations, finding locations, and detecting unauthorized access points

Social engineering

During a social engineering penetration test, pen testers use the same type of phishing email processes and other social engineering tactics as malicious actors to test whether employees follow the organization’s policies and practices.

Process of social engineering penetration testing

First, pen testers gather information to determine what types of messages might be most effective within an organization, which includes reviewing:

  • Services the company offers
  • Interactions between different departments
  • Publicly available information
  • Employee information
  • Company information

Second, they decide how to send the message, track responses, monitor activity, and develop content.

Third, pen testers put together lists of users that they want to target then configure and schedule their campaigns.

Fourth, they engage in the initial exploits such as:

  • Establishing baseline access through payloads
  • Setting up command and control servers
  • Inserting malicious scripts
  • Identifying additional vulnerable targets
  • Establishing persistence

Fifth, they engage in secondary exploits such as:

  • Attempting to bypass user access controls
  • Identifying additional vulnerabilities
  • Taking advantage of users’ excess access
  • Compromising connected systems

Sixth, they simulate data exfiltration by reviewing but not downloading information such as:

  • Local data repositories
  • Mapped drives
  • Databases
  • File sync folders

Finally, they disengage from the systems by:

  • Terminating sessions
  • Gathering evidence
  • Preventing continued contact

Tools used in social engineering tests

Because social engineering pen tests focus on exploiting people’s emotional weaknesses, this type of pen tester uses Open Source Intelligence (OSINT) to collect information. Some popular OSINT tools include:

  • Maltego: a tool for finding the relationships between people, companies, domains, and publicly accessible information that automates public data source searches
  • Recon-ng: a Python-based tool that testers can use to automate public data searches
  • Shodan: a search engine used to locate devices connected to a network, including computers, routers, servers, and IoT devices.

Physical engineering

Physical engineering is a type of pen test where the testers attempt to “break into” a building during working hours to determine whether protections like locks, credentials, and practices around visitors have any vulnerabilities.

Process of physical engineering penetration testing

First, the pen testers look at all areas of the physical premises that could create a security risk and create a map, including:

  • Fire escapes
  • Windows
  • Doorways
  • Basements
  • Garages

Second, they look for any places where malicious actors could pick locks to gain entrance to the facility, such as:

  • Traditionally keyed entrances
  • Electronic locks with PIN codes
  • Combination locks
  • Key card entrances

Third, they look for similar types of physical security weaknesses inside the building, including:

  • Server storage areas
  • Physical record storage
  • Windows that can give distance visual access to sensitive information
  • Conference and board rooms
  • Executive offices

Fourth, they use technologies that can be used for corporate espionage or data theft from inside an organization, such as:

  • Wiretapping
  • Breaking the encryption on radio-frequency ID (RFID) tags
  • Looking for unused network jacks

Fifth, they look for potential physical security weaknesses caused by employees, such as:

  • Being allowed into the building without the appropriate identification
  • Looking over employees’ shoulders while they are at their desks
  • Examining dumpsters for unshredded information

Tools used in

Since physical engineering tests focus on building security, pen testers use commonly found tools like:

  • Cameras: to document findings
  • Night vision goggles: to use as part of testing overnight security
  • Binoculars: to look through windows and entryways from a distance for gathering information about office layout and employee behaviors
  • Radio devices: to talk to associates when attempting a multi-person “break-in”
  • Lockpicking kit: to break physical locks on doors

What should good penetration testing include?

Every penetration test needs to balance depth and breadth. To find the right balance, you need to work with your pen tester and create a focused plan. The plan needs to include everything from the assets included in the test to the reportable outcomes.

Initial engagement

As part of the initial engagement, you want to start by thinking about the qualifications you want the team to have. From an enterprise perspective, you should consider any unique assets in your IT stack, such as internally developed applications, mainframes, or uncommon networking protocols. Then, you should review the risk these assets pose from both a security and privacy perspective. Any high-risk assets should be included as part of your penetration test, so you want to make sure that the team you choose has experience with them.

Assign responsibilities

As part of the scoping process, you defined the assets that the team needs to test. You also need to assign internal responsible parties. As part of this process, you want to consider the people in your organization who you consider:

  • Relevant risk owners
  • Staff responsible for and knowledgeable about target systems

Then, you want to make sure that each responsible party outlines areas of special concern and technical boundaries.

Additional information that you want to provide as part of this process include:

  • Most recent penetration test results
  • Issues that might impact testing
  • Critical systems requiring special handling

Testing process

A penetration test is not a “set it and forget it” process. You should assign a responsible technical party to work closely with the team, one who can respond to any critical issues that need immediate remediation or resolve issues that impede the testing process.

As the team continues to poke at your security controls, they may need to change the scope of the test. Sometimes, pen testers may identify additional systems or components whose impact on the in-scope systems require them to do more work. At this point, they may suggest broadening the scope or indicate that the report has to include these as a limitation of the testing.

In other words, you may need to make a decision between increasing the costs associated with the testing process or include a notice in the report that you chose to accept the risk by not testing these systems.

Report and remediation

Finally, your testing team will provide a report that lists security issues uncovered. Once you review the report, you need to prioritize remediation actions based on vulnerability severity, starting with the riskiest weaknesses.

What should the penetration test report include?

The penetration test process is the first step. The report provides all the information necessary to respond to any findings. Similar to a regulatory compliance audit report, the pen test report has several parts to it.

Executive summary

This section offers a high-level summary intended for the executive team, including weaknesses, risk impact, and suggested remediation prioritization.


This section gives the report context and summarizes the original statement of work.

Penetration testing team information

This section gives the name, email address, and phone number of the people performing the test and is often used to meet compliance requirements.

Tools used

The report should include the tools used so that the IT team can reproduce the findings as they work to remediate the weaknesses.

Summary of findings

This section, often including graphs, details the vulnerabilities by grouping them based on the risk and remediation effort required. Additionally, the reports often enable budget justifications.

Findings prioritization

This section should include two different types of prioritization. First, the report should prioritize findings based on the risk a vulnerability poses to the organization’s security posture. Second, it should prioritize findings based on importance and relevance.

Finding references

To help the IT team remediate weaknesses, the report should include links to resources that provide additional technical information such as OWASP, MITRE, or CVE websites.

Recreation steps

The IT team may need to recreate the steps to finding the vulnerability so that they can understand how to find the issue as part of the resolution process.

Remediation suggestions

This section includes the best practices and actions necessary to remediate the findings.

How often should full penetration testing be performed?

Most regulatory and industry compliance requirements suggest “at least annually.” However, organizations in industries that malicious actors target more frequently, such as financial services or healthcare, may one to do them more than once a year.

How long does a penetration test take?

Depending on the penetration test’s scope, it can take on average between one and three weeks. The more systems incorporated in the test, the longer the test will take. Additionally, the more out-of-scope systems and components that the pen testers find during the test, the longer the test may take.

How much can a penetration test cost?

Although penetration test costs rely on the organization’s IT infrastructure complexity, the average cost is usually between $15,000 and $30,000. In extremely complex IT stacks, the cost can be as high as $100,000. For limited engagements, the cost can be as low as $2,900.

SecurityScorecard enables continuous monitoring between pen tests

Penetration testing provides an in-depth review of your organization’s security posture. However, the costs and time associated with completing them mean that they can only be completed once or twice a year. Meanwhile, your IT ecosystem continuously changes, making it essential that you continuously monitor for new vulnerabilities.

SecurtyScorecard’s security ratings platform gives you an outside-in look at your current security posture and provides easy-to-understand ratings based on an A-F scale. We monitor across ten categories of risk, giving you at-a-glance look at mission-critical security risks. We enable organizations to detect and mitigate new risks that can arise between penetration tests but also help customers identify assets that need to be included in future tests.

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!