Types of Penetration Testing: Which One Do You Need?
Types of Penetration Testing: Which One Do You Need?
The first question I ask when someone rings up wanting a pen test is "what are you trying to protect?" Not what standard they need to comply with. Not what their IT provider told them. What keeps them awake at night. Because what actually matters is where your risk sits, and buying the wrong type is a waste of money.
A company running a customer-facing web application needs application testing. A professional services firm with 40 staff and a standard office network needs external and internal infrastructure testing. A fintech company with a public API needs API testing. Getting the scope right is more important than getting a good price.
External infrastructure testing
External testing examines what an attacker can see and reach from the internet. Your public IP addresses, the services running on them, and whether any of those services have exploitable vulnerabilities.
I start by mapping the external perimeter, checking which ports are open. What software is running behind them, and is any of it outdated? Then I attempt to exploit anything I find. An outdated VPN appliance with a known authentication bypass. A web server returning verbose error messages that reveal the internal file structure. An email server that accepts relay requests from any sender.
For most small and medium businesses, this is the first test to do. If your perimeter is porous, nothing behind it matters. The external test tells you whether an attacker with no inside knowledge can get in.
Internal network testing
Internal testing starts from the assumption that someone is already inside your network. A phished employee clicked a link, a contractor's laptop was compromised, or a visitor plugged into an open network port. The question is: how far can they get?
This is where I typically find the most serious issues. Internal networks are trusted environments, and that trust is often excessive. Standard user accounts with admin rights they shouldn't have. Unencrypted protocols broadcasting credentials across the network (LLMNR and NBT-NS are the persistent offenders). No segmentation between the finance system and the guest Wi-Fi. A domain controller with a service account running on a default password.
Internal testing is more complex than external testing because the environment is larger and the potential attack paths multiply. A typical internal engagement runs three to five days and covers lateral movement, privilege escalation, and data access.
Web application testing
Web application testing checks the code and logic of your web application, not the server it runs on. Authentication flows, access controls, input handling, session management, and business logic.
I have written a detailed guide on web application testing. The key point is that application vulnerabilities are fundamentally different from infrastructure vulnerabilities. An infrastructure test confirms your web server is patched. An application test checks whether the login page leaks valid usernames, whether one customer can view another's data by modifying a request parameter, and whether the payment form can be manipulated to change the amount.
If your business runs a customer-facing application, this is probably the most important type of testing you can do. Infrastructure vulnerabilities are serious, but application vulnerabilities often provide direct access to customer data and financial transactions.
API testing
APIs are how your systems talk to each other: mobile app to server, payment system to bank, CRM to accounting software. API testing checks whether those conversations are properly authenticated, whether access controls prevent one user from accessing another's data, and whether the API's business logic can be abused.
I have a separate guide on API testing because the methodology is different from web application testing. The short version: scanners check for known CVEs on your API framework. A tester checks whether your specific API logic holds up when someone sends requests it was not designed to handle.
Wireless testing
Wireless testing checks the security of your Wi-Fi networks. Can an attacker outside your building connect to your corporate network? Is the encryption current (WPA2 or WPA3, not WEP or WPA with TKIP)? Is the guest network properly isolated from the corporate network?
Wireless testing is shorter than most other types, typically a day or less. It is most relevant for organisations with open-plan offices, shared buildings, or retail premises where the wireless access point is physically accessible to the public.
I find guest network isolation failures regularly. The guest network and the corporate network share the same VLAN, or the access point is configured to broadcast both SSIDs through the same physical infrastructure with no logical separation. An attacker on the guest network can reach internal file shares, printers, and sometimes domain controllers.
Social engineering
Social engineering tests the human element of your security posture: phishing campaigns that simulate real attacks, phone calls pretending to be IT support or a vendor. Attempts to gain physical access to the building.
This is not a standard pen test. It is a separate type of engagement with its own scope, rules, and ethical considerations. I only run social engineering tests when the client has specifically requested them, and the scope is carefully defined in advance.
Social engineering results are valuable because they test the one layer that technical controls cannot fully address: human decision-making. An organisation with perfect technical security can still be compromised if someone clicks a link in a well-crafted phishing email or lets a stranger into the server room because they were wearing a high-vis vest and carrying a clipboard.
Black box, grey box, and white box
These terms describe how much information the tester receives before starting.
Black box means the tester gets nothing. Just a company name and a target list. They start with the same knowledge an external attacker would have. This approach tests your defences realistically, but the tester spends a significant portion of the engagement on reconnaissance that a more informed test would skip.
White box means the tester gets everything. Network diagrams, source code, admin credentials, documentation. This approach is the most thorough because the tester can focus all their time on finding and exploiting vulnerabilities rather than discovering what exists.
Grey box is the middle ground. The tester gets partial information: user credentials, basic network topology, maybe some documentation. This is the most common approach because it balances realism with efficiency.
For most engagements, I recommend grey box. The tester gets enough context to work efficiently without spending two days on discovery, but they do not have the full insider knowledge that would bypass realistic attack scenarios. (as outlined in the updated assurance guidance notes).
Which type do you need?
If you are starting from scratch: external infrastructure testing first. Secure the perimeter before worrying about what is behind it.
If you run customer-facing web applications or APIs: application testing, because that is where your customer data lives and where a breach causes the most damage.
If you handle sensitive data on an internal network: internal testing, because an attacker who gets past your perimeter (through phishing, a compromised supplier, or a misconfigured firewall rule) will find everything your internal controls fail to protect.
If a contract or regulator specifies a type: do what they ask. If they say "annual penetration test" without specifying the type, ask. An unscoped pen test is a test that misses the things that matter.
Want to know what testing your business needs? Get in touch or see our testing services.
Related articles
- Penetration Testing: What UK Businesses Need to Know
- Vulnerability Assessment vs Penetration Testing
- Infrastructure Pen Testing: What We Actually Test
- Cyber Essentials Plus Assessment Guide: What the Assessor Tests and How to Pass
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Configuration Review: What It Is and Why It's Part of a Security Assessment
What a configuration review tests, how it differs from a vulnerability scan, and what it reveals about your actual security posture. Written by a CREST-registered pen tester.
Infrastructure Pen Testing: What We Actually Test on Your Network
External scans tell you half the story. Here is what a CREST tester checks on your internal network, servers, and Active Directory.
Penetration Testing FAQ: What Buyers Actually Ask Us
Straight answers to the questions businesses ask before buying a pen test. CREST, CHECK, cost, timing, and what the report looks like.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.