We have a few blogs written on penetration testing. These blogs include information on the steps or phases to properly conduct a penetration test, how penetration tests relate to satisfying SOC 2 requirements, information on how penetration testing compares to vulnerability assessments, and more. Feel free to check out these related blogs:
- External Penetration Testing & SOC 2 Reports: How Are They Related?
- Vulnerability Assessment vs Penetration Testing for SOC 2 Audits
- Vulnerability Scanning: Importance of Vulnerability Scans in SOC 2 Audits
For this blog, I will focus on the different types of penetration testing and emerging security trends. This is in effort to help readers understand which type of penetration test may be best suited for their needs when looking into penetration testing services.
Why Penetration Testing Matters in Modern Compliance
In one recent FedRAMP audit, we performed a penetration test for a client whose web app dependency mapping overlooked internal APIs used by their mobile apps. During pentesting, those APIs became the pivot point for privilege escalation. That’s the kind of gap that vulnerability scanning alone often misses.
Penetration testing (or “pentesting”) remains one of the strongest proofs you can bring to your compliance team or board of directors. It doesn’t just signal, “we looked at it,” it shows how an attacker could infiltrate, move, escalate, and exfiltrate data. As systems become more distributed, the attack surface grows faster than static scans can catch.
So, the question isn’t just, “Which pentests should I run?” but, “How do I make it meaningful, repeatable, and tied to real-world risk?”
How Many Types of Penetration Tests are There?
There are several categories of pentests, both by target domain and by methodology. Below is a nuanced breakdown that includes updated domains like cloud and IoT, as well as what clients often miss.
External/Perimeter
An external penetration test is conducted by an external third party with (usually) no knowledge of an organization’s network. The external tester will utilize tools to perform reconnaissance activities with software tools to gain information with regard to existing vulnerabilities that could be used to exploit a system. External assets are still among the most tested, and often, the most vulnerable.
Internal/Assumed Breach
An internal penetration test is conducted from within an organization’s network. With this type of test, the objective and focus are to determine what a malicious actor could do if they are inside the internal network in an “assumed breach” state after successfully gaining unauthorized access. Once inside the network, the tester could use various techniques to attempt to see what data can be extracted, attempt to increase their level of access to an administrator, and/or gain access to traffic between systems, etc. Zero-trust environments can complicate internal testing.
Web Application
A web application penetration test focuses on web applications and databases. Penetration testing can detect weaknesses in the UI, back-end APIs, business logic, and authentication. The OWASP is a resource that provides education and information for developers to secure web applications. The OWASP site outlines the Top 10 Application Security risks, descriptions of each, and details on how to prevent and protect against each as well.
Cloud Infrastructure
Cloud infrastructure penetration testing focuses on uncovering vulnerabilities in cloud-native environments like AWS, Azure, and GCP, as well as supporting infrastructure such as containers, Kubernetes clusters, and CI/CD pipelines. Common attack vectors discovered during pentests include IAM misconfigurations, exposed storage buckets, overprivileged service accounts, and a lack of network segmentation.
Wireless Networking
Wireless penetration testing targets the communication channels that connect devices wirelessly. These include WiFi, Bluetooth Low Energy (BTLE), Zigbee, NFC, RFID, and proprietary radio protocols. These protocols are often assumed to be secure out of the box, but in practice, they often introduce vulnerabilities into an organization’s infrastructure. Testing wireless systems not only involves sniffing traffic with specialized equipment, but also deploying rogue access points that simulate Attacker-in-the-Middle (AitM) attacks. Because these attacks can often be launched from outside the building, they carry a high risk and often low visibility.
IoT/Embedded
Penetration testing in IoT and embedded systems focuses on devices and systems that often sit outside of traditional IT perimeters. IoT devices include everything from smart sensors and medical devices to manufacturing controllers and security cameras. These devices often suffer from hard-coded credentials, insecure firmware, outdated libraries, or unauthenticated interfaces. IoT devices are often deployed with security as an afterthought, assuming attackers won’t know of or reach them. Firmware analysis, JTAG interface probing, serial debugging, and side-channel attacks are in scope for these types of engagements.
Social Engineering
A social engineering penetration test is used to trick and deceive individuals, typically through a false sense of authority or trust; all for the purposes of gaining access to the target information. This type of penetration test bypasses network security altogether by exploiting human weaknesses. A key way to help prevent successful social engineering attacks is through a properly implemented security policy and security awareness training programs, in order for staff to be able to detect suspicious activities and requests for information.
Physical
A physical penetration test is geared toward bypassing physical security controls. This can include bypassing badge readers, piggybacking/tailgating, defeating biometric controls, lock picking, etc.
Most real-world pentests are hybrid, testing multiple domains to mirror how an attacker really operates.
What is the Difference Between Black-Box, Grey-Box, & White-Box Penetration Testing?
Once the type of target or specific penetration test is selected (from those listed above), though not definitive, there are three general categories in which the type of penetration test can be used. These general categories are: white-box testing, grey-box testing, and black-box testing.
What is White-Box Penetration Testing?
White-box penetration testing is a type of test where all knowledge of the environment being tested is provided to the tester. The advantage of a white-box test is that it provides deep coverage and faster discovery, resulting in a more cost-effective test. The disadvantage of a white-box test is that it doesn’t adequately simulate a “blind attack.”
What is Grey-Box Penetration Testing?
Grey-box penetration testing is a type of test where some knowledge of the environment being tested is provided to the tester. Since information is provided upfront, this is a good test to see the harm a malicious insider or an attacker with partial knowledge could do.
What is Black-Box Penetration Testing?
Black-box penetration testing is a type of test where no upfront knowledge of the environment being tested against is known or provided to the tester. The advantage of a black-box test is that it offers a highly realistic simulation of the harm an outside attacker, with no prior knowledge, could do. The trade-off is that black-box testing often requires more reconnaissance and testing time.
The penetration tester should be able to provide details on which type of test may best suit the engagement based upon various factors such as: objectives, time, and cost limitations or requirements.
The Phases of Penetration Testing
After the initial planning phase, a modern penetration test generally follows a logical progression:
- Scoping and Threat Modeling – This phase involves defining assets, rules, priority, and success criteria. A common approach is to use frameworks such as the MITRE ATT&CK framework and kill chains to align testing with real attacker behavior.
- Reconnaissance and Enumeration – This stage involves passive external data collection, often referred to as Open-source Intelligence (OSINT). Common tasks include cloud footprint discovery, subdomain enumeration, and API surface mapping. Common tools include Nmap, subdomain scanners, and cloud footprint tools.
- Vulnerability Discovery and Scanning – This phase uses both automated and manual methods to detect potential vulnerabilities. The penetration tester will then prioritize these findings based on exploitability, business impact, and chainability.
- Exploitation and Attack Chaining – The goal of this stage of testing is to combine exploits across domains (chaining) and to pivot to other systems and escalate privileges. Common tools include Metasploit, Cobalt Strike, and newer AI-enabled exploit suites.
- Post-Exploitation and Persistence – In this step, the penetration tester will emulate real attacker behavior by defining and testing data exfiltration paths, attempting to steal credentials, and maintaining stealthy persistence. Common tools include Multiple modular C2s and custom frameworks.
- Reporting and Business-Level Context – The real value in penetration testing is in generating an actionable report with detailed evidence and repeatable steps. The report should translate technical issues into risk/business-impact metrics, as well as offer practical remediation recommendations.
- Remediation Validation – Once your organization has had the opportunity to remediate the vulnerabilities discovered during the penetration test, conducting validation of the fixes helps to demonstrate accountability and to bolster the security of your environment.
- Continuous, Change-Based Testing – An emerging approach in penetration testing is to conduct gap testing when infrastructure or code changes occur. This requires tight integration with DevOps pipelines and helps reduce the risk window between full penetration tests.
Emerging Penetration Testing Trends to Watch
Here are some key factors that are reshaping the penetration testing world, and what you need in your toolkit.
- AI / Agentic Pentesting – With AI, automated reconnaissance, exploit chaining, and triage workflows are replacing repetitive tasks. However, full autonomous penetration testing is still a stretch.
- Continuous Testing / PTaaS – Pentesting-as-a-Service models let you test on demand as change happens in your environment. This helps reduce the risk window between annual or semi-annual testing.
- Cloud-first Focus – As businesses continue to move key infrastructure to the cloud, IAM misconfigurations, vulnerable serverless functions, and container escape are increasingly becoming part and parcel of modern testing scopes.
- Business Logic and Multi-Step Flaws – Testers are finding more logic-based chained flaws across microservices. Tools are catching up, but manual testing is still an essential part of the pentester’s arsenal.
- Purple Teaming Strategy – Blurring the lines between attack and defense, purple team engagements facilitate real-time feedback and continuous improvement.
- Quantum Computing Awareness – While still not mainstream, discussions on post-quantum cryptography are creeping into pentesting considerations and after-action reports.
Essentially, after a penetration test is completed through the use of one or a combination of the tools above (or others), a thorough report that outlines the vulnerabilities and weaknesses is critical. A thorough report is essential in order to be able to understand the issues and their impacts, and to be able to take the appropriate remediation actions as soon as possible.
Common Pentesting Pitfalls & “Gotcha’s”
- Forgotten dev subdomains: In one pentest, we found a dev API endpoint (not in the inventory) that allowed direct access to internal systems. This became the pivot point for gaining access.
- Cloud service misuse: In a client’s AWS environment, an overly permissive IAM role allowed service-to-service impersonation, effectively breaking any network-based segmentation.
- Logic flaw exploitation: During a fintech services test, a multi-step logic flaw allowed incremental fund extraction in small denominations to fly under the radar of monitoring thresholds.
- Social engineering success: We sent a custom-tailored phishing email, emulating a “MANDATORY HIPAA TRAINING” HR request, and got a user’s credentials from one employee in under 24 hours.
- Regression failure: A client remediated a vulnerability but introduced a new bug in the API. Fortunately, validation and rescanning caught it. This illustrates the criticality of validation in high-change environments.
Frequently Asked Questions on Penetration Testing & Types
These are some of the most common questions we get from clients with regard to penetration testing types, tools, and more.
What Are the 3 Types of Penetration Testing?
This usually refers to white-box, gray-box, or black-box testing, and indicates how much knowledge the tester has going into the engagement.
What Are the 8 Steps of Penetration Testing?
Variations exist, but you’ll often see: scoping, reconnaissance, scanning, exploitation, post-exploitation, reporting, and validation/rescan. A valuable addition to this standard is continuous, change-based testing.
What is the Most Common Penetration Test?
External + web application + API remain foundational. Many tests start here before branching into other types of testing.
What is API Penetration Testing?
Testing endpoints that aren’t necessarily visible to browsers: authentication, data flows, microservices, access control, etc.
What is Purple Team Penetration Testing?
A collaborative approach that blends attackers (red) with defenders (blue) to continuously validate and harden defenses in real-time.
Can AI Replace Pentesters?
AI helps automate repetitive work, but creative discovery, strategy, and nuanced decision-making still depend on human involvement.
Which Tools Are Commonly Used for Penetration Testing?
While a thorough penetration test utilizes a lot of manual testing, Nmap, Burp Suite Professional, and Metasploit are staples. Emerging AI-enabled tools are also gaining attention.
Final Thoughts on Penetration Testing Types
Updating your pentest strategy is no longer optional. Attack surfaces are evolving fast, AI is entering the mix, and compliance-driven point-in-time tests won’t suffice in the foreseeable future. Here are a few considerations you should consider:
- Aim for a hybrid scope (external + API + Social Engineering) rather than siloed tests.
- Build continuous validation (triggered by change, not just annual cycles).
- Invest in attack surface management (ASM) to stay current.
- Use automation/AI to speed up routine tasks, but keep human oversight.
- Where possible, utilize purple team methodologies so your defenses improve as you test.
Choosing the Right Penetration Test for Your Organization
The types of penetration testing services available today, whether external, internal, cloud-based, or focused on human or physical vulnerabilities, offer more than just technical checks. When executed properly, they provide real-world insight into how your systems could be exploited and what the potential business impact might be. The key is choosing the right test for your environment, scoping with clarity, and aligning the outcomes with your organization’s risk priorities and compliance goals. While threats continue to evolve, so do the methods used to evaluate them. The value of a pentest isn’t just in finding vulnerabilities, it’s in understanding how attackers think, where your real exposure lies, and how to best address it in context.
If your organization is navigating a SOC 2 audit, HIPAA audit, FedRAMP certification, or other audit frameworks and considering how penetration testing fits in, Linford & Co is available to discuss your options and help you move forward with confidence. Contact us today.
This article was originally published on 12/7/2021 and was updated on 10/8/2025.
Chris started with Linford & Co., LLP in 2023 as the Director of Penetration Testing services. He started his IT Security and Penetration Testing career in 2001 after developing security programs within the U.S Federal Government and the private sector. Chris also holds two certifications from the National Security Agency – The InfoSec Assessment Methodology (IAM) and the InfoSec Evaluation Methodology (IEM), as well as GSEC and CISSP certifications. Chris also served as the liaison between the Denver Health and Hospital Authority and the federal Center for Medicare and Medicaid Innovation, where he was instrumental in assuring HIPAA and HITECH compliance for medical devices per state and federal regulations.