> series: business_owners_guide —— part: 02/10 —— topic: types_of_penetration_test —— approach: know_your_options<span class="cursor-blink">_</span>_
When a penetration testing provider quotes you for an engagement, one of the first questions they should ask is what type of test you need. This is not a trick question — it directly affects the scope, methodology, duration, and cost of the engagement. Understanding the different types of penetration test ensures you commission the right assessment for your specific risks and objectives.
There are two dimensions to consider: the testing approach (how much information the tester starts with) and the testing category (what they are testing). This article covers both.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping CallThe amount of information you provide to the tester before the engagement begins fundamentally changes the nature of the test. Each approach answers a different question, and the right choice depends on what you are trying to learn.
| Approach | What the Tester Knows | What It Simulates |
|---|---|---|
| Black Box | Nothing — or almost nothing. The tester receives your company name and perhaps a list of in-scope IP addresses or domains, but no internal documentation, credentials, architecture diagrams, or source code. They start from the same position as an external attacker with no inside knowledge. | An opportunistic external attacker — a criminal who has identified your organisation as a target and is working from scratch. Tests your external attack surface and how much an attacker can discover and exploit without any insider assistance. |
| White Box | Everything. The tester receives full documentation — network diagrams, architecture documents, source code, credentials, configuration files, and direct access to development and operations teams for questions. Nothing is withheld. | A worst-case scenario — an attacker with complete inside knowledge, or a comprehensive security review that aims to find as many vulnerabilities as possible regardless of how an attacker might discover them. Maximises vulnerability discovery. |
| Grey Box | Partial information. The tester receives some insider knowledge — typically user-level credentials, basic network documentation, or application architecture details — but not full access. The exact level of information is agreed during scoping. | A range of realistic scenarios: an attacker who has compromised a user account, a disgruntled employee with standard access, or a partner with limited network connectivity. Balances realism with depth of testing. |
For most organisations, grey box testing offers the best balance of realism and value. Black box testing is realistic but time-limited — the tester may spend days on reconnaissance that could be bypassed with basic information, reducing the time available for actual exploitation. White box testing finds the most vulnerabilities but does not reflect a realistic attack scenario. Grey box gives the tester enough context to focus on exploitation rather than discovery, while still testing from a credible threat perspective.
The testing approach determines how much information the tester has. The testing category determines what they are targeting. Most organisations need more than one category of test, and different categories may use different approaches.
Real attackers do not limit themselves to a single attack vector. A comprehensive security assessment often combines multiple test categories to simulate realistic attack scenarios. For example, an attacker might use a phishing email to compromise a user's credentials, use those credentials to access a web application, exploit a vulnerability in that application to reach the internal network, and then escalate privileges through Active Directory misconfigurations.
This does not mean every organisation needs every type of test simultaneously. Prioritise based on your risk profile: if you have significant internet-facing infrastructure, start with external and web application testing. If your primary concern is insider threat, start with internal testing. If you have recently deployed security awareness training, a social engineering assessment measures its effectiveness.
You may also hear the term 'red team engagement'. This is not a synonym for penetration testing — it is a distinct activity with a different objective. A penetration test aims to find as many vulnerabilities as possible within a defined scope. A red team engagement aims to achieve a specific objective — such as accessing a particular database, exfiltrating specific data, or compromising a specific account — using any means necessary, over a longer timeframe, with stealth.
Red team engagements are typically commissioned by more mature organisations that have already addressed the findings from regular penetration testing and want to test their detection and response capabilities. They are more expensive, take longer, and are designed to answer the question 'can our security team detect and respond to a sophisticated, targeted attack?' rather than 'what vulnerabilities exist in our systems?'
For most organisations, penetration testing is the right starting point. Red teaming is the next step once your baseline security posture is solid.
The type of penetration test you commission should be driven by your organisation's risk profile, the threat model relevant to your industry, and your current security maturity. A reputable provider will help you determine the right combination during the scoping process — which we cover in detail in Part 5 of this series.
Next week, in Part 3, we address a critical question for business owners: when should you commission a penetration test? We cover the trigger events, compliance deadlines, and business scenarios that should prompt you to pick up the phone.
Choosing the right type of penetration test does not need to be complicated. Our scoping consultations are free, obligation-free, and designed to help you understand exactly what testing your organisation needs and why.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call