BLOG HOME > Cybersecurity > Types of Penetration Testing: The What, The Why, and The How

Types of Penetration Testing: The What, The Why, and The How

By: Chad Horton
Pen Test Manager

Learn what types of penetration testing methods your business may need. 

Did you know that a penetration test can result in very different findings depending on how much information the testing analyst is given for the assessment? As a result, not all penetration tests are equal.

This post goes into the what, the why, and the how of penetration testing to help you determine what type is best for your business.

Webinar: Network Penetration Testing 101

Watch Here
SEE ALSO:  Different Types of Penetration Tests for Your Business Needs

What is a penetration test?

To combat a hacker, you need to think like a hacker. Penetration testing is a form of ethical hacking that simulates attacks on an organization’s network and its systems. This is done to help businesses find exploitable vulnerabilities in their environment that could lead to data breaches.

The test is a manual process performed by experts that dive deeper into your environment than an automated vulnerability scan does. These experts especially look for the types of security issues that automated scanners struggle to detect.

SEE ALSO: Pentesting vs Vulnerability Scanning: What’s the Difference?

Why should my business get a penetration test?

Most environments are designed, built, and maintained by employees that have little to no professional experience in security. A penetration test is performed by a security expert trained to identify and document issues that are present in an environment. The resulting report can give you the opportunity to remediate the issues before they have been exploited by a real attacker.

The PCI DSS also requires that businesses test security controls annually and perform segmentation checks every six months. Subsequent assessments on these controls should also be done after any major change has been made.

SEE ALSO: New 3.2 Requirements for Penetration Testing and Segmentation: What You Don’t Know

How are penetration tests performed?

A penetration test can be broken into three steps:

  1. Research
  2. Testing/Exploitation
  3. Documentation

Do You Need a Penetration Test?

Find out Here
Unlike a real attacker, penetration testers have a set number of hours used to test a given environment. Because of this, you, as the customer, must make a decision – where do you want the majority of the analyst’s time spent: Research or Testing/Exploitation? (The time spent on documentation is static regardless of testing circumstances.) You have the most control over the accuracy and amount of information the analyst is given prior to the assessment, both of which will dramatically affect the time needed for research.

The methodology of penetration testing is split into three types of testing: black-box assessment, white-box assessment, and gray-box assessment.

Chad Horton has been the Manager at SecurityMetrics for over five years. His responsibility includes managing a team of eight employees who conduct manual assessments of web applications and corporate networks. In addition, Horton is QSA, CISSP, and CompTIA Security+ certified, and has written numerous web application tools to assist in exploiting vulnerabilities. 

Join Thousands of Security Professionals and Subscribe