> man pen-test-types_
When someone says "we've had a pen test done," the natural follow-up question should be: which kind? Because penetration testing isn't a single activity any more than "surgery" is a single procedure. An external infrastructure test and a social engineering assessment are about as similar as a knee replacement and cataract surgery — both are operations, both require trained professionals, and neither one substitutes for the other.
This matters because scoping the wrong type of test is worse than not testing at all. It creates false confidence. You believe you've been assessed when you've actually only looked at one layer — and the attacker, who doesn't respect your scope boundaries, walks in through the layer you didn't test.
This article explains each common type in plain English: what it targets, how it works, what it typically uncovers, and who should be commissioning it. If you're responsible for deciding what gets tested and how, this is the guide that helps you have an informed conversation with your provider.
An external infrastructure test simulates an attacker on the internet with no insider knowledge and no credentials. They can see only what's publicly visible — your IP addresses, domain names, and any services exposed to the outside world. The tester's job is to find out how much damage can be done from that starting position.
Think of it as a stranger walking the perimeter of your building. They're checking every door, every window, every service hatch. They're looking at the locks, reading the signs, and testing whether anything's been left open. They haven't been given keys — they're working with what's available to anyone who cares to look.
| What's in Scope | What We Typically Find |
|---|---|
| Public IP ranges, DNS records, subdomains | Forgotten subdomains still pointing to live services — staging environments, old marketing sites, decomissioned portals — exposed to the internet with no monitoring |
| VPN gateways and remote access portals | Unpatched critical CVEs on Fortinet, Citrix, Pulse Secure, and SonicWall appliances. These are the single most exploited entry point in ransomware attacks and have been for years |
| Mail servers and webmail (OWA, Exchange Online) | Missing or misconfigured SPF, DKIM, and DMARC records allowing domain spoofing. User enumeration through timing differences in login responses |
| Firewalls and perimeter network devices | Management interfaces exposed to the internet on non-standard ports, default SNMP community strings, administrative credentials unchanged from factory defaults |
| SSL/TLS across all services | Expired certificates, support for deprecated protocols (TLS 1.0/1.1), weak cipher suites, missing HSTS headers enabling downgrade attacks |
| Cloud-hosted public services | Publicly accessible management consoles, API endpoints without authentication, storage buckets misconfigured as world-readable |
In nearly every external test we conduct, we discover services the client didn't know were still running. A staging server spun up two years ago for a project that finished. A marketing microsite on a subdomain nobody remembers creating. A legacy portal that was "decommissioned" but never actually switched off. These forgotten assets are goldmines for attackers — unpatched, unmonitored, and often containing credentials that work elsewhere.
An internal test begins where an external attacker's successful breach ends — inside your network. The tester is given a laptop on the corporate LAN (or a VPN connection) with standard user privileges, simulating a compromised employee workstation, a rogue insider, or an attacker who made it past the perimeter through phishing or an exploited VPN.
If external testing checks the locks on the doors, internal testing asks: once someone's inside the building, what can they reach? The answer, in most organisations, is: far too much.
The internal network is where organisations are most consistently vulnerable, because it has historically been treated as a trusted zone. Firewalls guard the perimeter. Monitoring watches the ingress points. But inside, the network is often flat, Active Directory is weakly configured, and credentials are scattered like house keys left under doormats.
| What's in Scope | What We Typically Find |
|---|---|
| Active Directory | Kerberoastable service accounts with weak passwords crackable in minutes. AS-REP roasting against accounts without pre-authentication. Misconfigured delegation allowing impersonation of any user including Domain Admins |
| Network segmentation | Flat networks where a standard user workstation can directly reach database servers, domain controllers, backup systems, and management interfaces. No barriers between business units |
| Credential storage and reuse | Domain Admin credentials cached on workstations that aren't domain controllers. Shared local admin passwords across the entire estate. Group Policy Preferences containing retrievable passwords (still, in 2025) |
| Legacy protocols | LLMNR and NBT-NS broadcast poisoning allowing credential capture with Responder. NTLMv1 authentication still permitted. SMBv1 enabled on file servers |
| Internal services | SQL servers with sa using a blank or default password. Jenkins dashboards with no authentication. Printers with LDAP bind credentials visible in their web interface |
| File shares | Sensitive documents — contracts, passwords, HR records, financial data — on shares readable by every authenticated user in the domain |
The typical internal test follows a predictable arc: capture credentials through broadcast poisoning, crack a service account hash, use it to query AD for escalation paths, find a route to Domain Admin, and demonstrate full domain compromise — often within hours. The statistic from our engagements: Domain Admin is achieved in approximately 85% of internal tests.
The perimeter will eventually fail. A phishing email will land. A VPN vulnerability will be exploited. A laptop will be stolen. When that happens, the only thing standing between an attacker and your crown jewels is the security of your internal network. If you haven't tested it, you don't know whether it will hold.
Web application testing examines the software, not the server. While infrastructure testing asks "is this machine secure?", application testing asks "is the code running on it secure?" These are entirely different questions with entirely different answers.
Your web server might be perfectly patched and hardened — but if the application it hosts has a SQL injection vulnerability in the login page, none of that matters. Application-layer vulnerabilities are the most common cause of data breaches, and they can only be found through dedicated application testing that includes significant manual effort.
| Vulnerability Class | What the Tester Does | Real-World Impact |
|---|---|---|
| Injection flaws | Attempts SQL, NoSQL, OS command, LDAP, and template injection through every input — forms, URL parameters, headers, cookies, API bodies | A single SQL injection in a search field extracted 430,000 customer records from a UK retailer. The field had been live for three years without anyone testing it. |
| Broken authentication | Tests login flows, session handling, password reset mechanisms, MFA bypass, account lockout, credential stuffing resistance | A password reset function that returns different error messages for valid vs invalid emails. This lets an attacker enumerate every user account before launching a targeted credential stuffing attack. |
| Broken access control | Tests IDOR, horizontal and vertical privilege escalation, forced browsing, missing function-level access control, API endpoint authorisation | Changing /api/invoices/1001 to /api/invoices/1002 returns a different customer's invoice. The API checked authentication but not authorisation — a textbook IDOR that automated scanners would never find. |
| Business logic | Tests application workflows for abuse — race conditions, state manipulation, price tampering, coupon stacking, step-skipping in multi-stage processes | A checkout flow where modifying the quantity to -1 credits money to the customer's account. No technical vulnerability — purely a logic flaw. Scanners can't find these; only a human tester thinking adversarially will. |
| Cross-site scripting (XSS) | Tests every output for reflected, stored, and DOM-based XSS. Demonstrates impact through session theft, keylogging, or admin impersonation | Stored XSS in a customer support chat field. When an admin views the message, the attacker's JavaScript executes in the admin's browser, stealing their session and granting full administrative access. |
| API-specific flaws | Tests REST and GraphQL APIs for mass assignment, excessive data exposure, broken object-level authorisation, rate limiting, and schema validation | A GraphQL introspection query that reveals the entire database schema, including fields like isAdmin that can be set via mutation — granting any user admin privileges. |
Web application testing is typically benchmarked against the OWASP Testing Guide (currently v4.2) and the OWASP Top 10, but experienced testers go well beyond these. The most damaging findings — business logic flaws, complex authorisation bypasses, chained attack paths — live outside any checklist.
Mobile testing assesses iOS and Android applications from a fundamentally different threat model than web testing. A web application runs on a server you control. A mobile application runs on a device the attacker controls. They can decompile it, inspect its storage, intercept its traffic, and reverse-engineer its logic. Every secret embedded in the binary is a secret the attacker already has.
The test covers the app itself (local storage, binary protections, runtime behaviour), its network communication (API calls, certificate validation, data in transit), and the back-end APIs it talks to (which frequently overlap with web application testing but are often less rigorously protected because developers assume the mobile client is "trusted").
| Assessment Area | What We Look For | Why It Matters |
|---|---|---|
| Local data storage | Credentials, tokens, PII, session data, or financial information stored in plaintext in shared preferences, SQLite, plist files, or the filesystem | A stolen or lost device gives the attacker access to everything stored locally. Even a locked device can have its filesystem extracted forensically. |
| Transport security | Certificate pinning implementation (and bypass), cleartext traffic, sensitive data in URLs (logged by proxies and servers), API keys in transit | Without proper certificate validation, an attacker on the same Wi-Fi network can intercept every API call the app makes — including login credentials. |
| Reverse engineering | Hardcoded API keys, encryption keys, internal URLs, admin endpoints, business logic, hidden debug functionality | Anything in the binary is accessible to a motivated attacker. We regularly find production API keys, internal staging URLs, and disabled-but-present admin features. |
| Authentication and sessions | Token expiry, refresh token security, biometric bypass, device binding, session invalidation on logout and password change | A refresh token that never expires and is stored in plaintext means a single device compromise grants persistent access indefinitely. |
| Platform-specific risks | Android: exported components, intent handling, deep link hijacking. iOS: URL scheme abuse, pasteboard leakage, ATS exceptions | Platform-specific vulnerabilities that developers unfamiliar with mobile security routinely overlook — because they test on emulators, not against real attack techniques. |
Mobile testing follows the OWASP Mobile Application Security Testing Guide (MASTG) and the Mobile Top 10. It's essential for financial services, healthcare, e-commerce, and any organisation whose mobile app handles sensitive user data.
A cloud security assessment evaluates your AWS, Azure, or GCP environment for misconfigurations, architectural weaknesses, and access control failures. It's not a traditional pen test in the sense of "break in from the outside" — it's a systematic review of how your cloud estate is configured, with particular attention to the things that go wrong when the shared responsibility model is misunderstood.
The shared responsibility model is simple in theory: the cloud provider secures the physical infrastructure, the hypervisor, and the managed services. You secure everything you build on top — identity, access, storage permissions, network configuration, encryption, logging, and application code. In practice, this boundary is routinely misunderstood, and the resulting misconfigurations are a leading cause of cloud breaches.
| Focus Area | What We Assess | What We Commonly Find |
|---|---|---|
| Identity and access (IAM) | Policies, roles, trust relationships, cross-account access, service account permissions, credential rotation | Roles with *:* permissions. IAM users with console access and no MFA. Cross-account trust relationships that allow any authenticated entity to assume a privileged role. |
| Storage | S3 bucket policies, Azure Blob access levels, GCS IAM bindings, backup encryption, versioning and lifecycle policies | S3 buckets with public read access containing database backups. Azure Blob containers set to anonymous access. Backup buckets with no versioning, meaning ransomware can permanently destroy data. |
| Network architecture | VPC design, security groups, NACLs, peering, PrivateLink usage, internet gateway exposure, flow log configuration | Security groups allowing 0.0.0.0/0 on SSH/RDP. VPC peering between production and development without restrictive route tables. No flow logs, meaning network activity is invisible. |
| Compute and containers | EC2 instance metadata, ECS/EKS configuration, Lambda execution roles, container image vulnerabilities, secrets management | Lambda functions with admin IAM roles. EC2 instances with IMDSv1 enabled, allowing SSRF-to-credential-theft attacks. Container images with known critical CVEs running in production. |
| Detection and logging | CloudTrail, VPC Flow Logs, GuardDuty, Azure Defender, GCP Security Command Centre, SIEM integration | CloudTrail disabled in non-primary regions. No alerting on IAM key creation or root account usage. GuardDuty findings going to an S3 bucket nobody monitors. |
Cloud reviews are benchmarked against the CIS Benchmarks for the relevant provider, supplemented with manual assessment of architecture, trust chains, and realistic privilege escalation paths. The output isn't just a compliance checklist — it's an attacker's roadmap through your cloud estate, with recommendations to shut down each path.
Wireless penetration testing assesses your Wi-Fi environment — corporate networks, guest networks, and anything else broadcasting a signal — for vulnerabilities that an attacker within physical range could exploit to intercept traffic, capture credentials, or gain direct access to the corporate network.
This is an on-site engagement. The tester arrives with specialist hardware — directional antennae, wireless adapters capable of monitor mode and packet injection, portable access points — and operates from within or near your premises. The range of a corporate Wi-Fi network frequently extends well beyond the building envelope: into the car park, the neighbouring office, the coffee shop across the road.
| What's Assessed | Common Findings |
|---|---|
| Encryption standards | WPA2-PSK with a pre-shared key that's also the company name (or written on a whiteboard visible from reception). Legacy WEP or WPA1 networks still active. WPA3 not deployed where hardware supports it. |
| Enterprise authentication | WPA2-Enterprise with EAP-PEAP where clients don't validate the RADIUS server certificate — allowing an evil twin attack to capture domain credentials in cleartext. Misconfigured RADIUS policies accepting any valid domain credential. |
| Guest network isolation | Guest Wi-Fi that shares a physical switch or VLAN trunk with the corporate network. Missing client isolation, allowing guests to attack each other. Guest network providing a route into internal management interfaces. |
| Rogue access points | Unauthorised access points plugged into network drops by employees wanting better coverage. Consumer routers bridging corporate ethernet to an open Wi-Fi network. Evil twin susceptibility testing. |
| Client behaviour | Devices broadcasting probe requests for previously connected SSIDs ("Starbucks", "Holiday_Inn_WiFi"), enabling targeted evil twin attacks. Auto-connect behaviour that bypasses all network-level authentication. |
| Bluetooth and peripheral risks | Discoverable Bluetooth devices, wireless keyboards transmitting keystrokes in cleartext (KeySniffer), wireless presentation adaptors with no authentication |
One of the most effective demonstrations in a wireless assessment is showing the client how much of their network is accessible from the car park. If an attacker can sit in a parked car, capture a WPA2 handshake, crack the PSK offline (often in minutes if it's a dictionary word), and connect to the corporate network — your Wi-Fi security isn't just weak, it's effectively non-existent for anyone willing to spend 20 minutes in your visitor parking.
Social engineering assesses the hardest thing to patch in any organisation: human behaviour. It tests whether your people — from the receptionist to the CFO — can recognise and resist the manipulation techniques that real attackers use every day.
This isn't about making people feel foolish. It's about measuring your organisation's human-layer defences under realistic conditions, identifying where training has gaps, and building a culture where reporting suspicious activity is instinctive rather than embarrassing.
| Vector | How We Test It | What Success Looks Like |
|---|---|---|
| Phishing | Crafted emails ranging from mass campaigns (generic lures) to highly targeted spear-phishing using OSINT about specific individuals, their projects, and their communication patterns | Not a 0% click rate — that's unrealistic. Success is a high report rate. Organisations mature enough that employees recognise the phish, don't click, and report it to IT within minutes. |
| Vishing | Phone calls impersonating IT support, a senior manager, a supplier, or a bank. Uses pretexting, urgency, and authority to extract credentials, trigger actions, or gain information | Staff who follow verification procedures even under pressure. A helpdesk that refuses to reset a password without proper identity confirmation, regardless of how senior the caller claims to be. |
| Smishing | SMS messages with malicious links, typically impersonating delivery services, internal IT notifications, or MFA verification requests (MFA fatigue attacks) | Users who don't click links in unsolicited text messages and who verify unexpected MFA prompts before approving them. |
| Physical access | Tailgating through secured doors, impersonating contractors or delivery drivers, accessing server rooms, photographing sensitive information, connecting rogue devices to network ports | Reception that verifies all visitors. Staff who challenge unfamiliar faces in restricted areas. Server rooms that are actually locked, with access logged. |
| Pretexting | Constructing a detailed false identity — a new starter, an IT auditor, a fire safety inspector — complete with fake credentials, to manipulate staff into providing access or information | A culture where staff feel empowered to verify identities and escalate concerns without fear of being "rude" to a visitor or caller. |
| Media drops | USB drives labelled "Salary Review Q4" or "Redundancy List" left in common areas. If connected to a workstation, the payload phones home or captures screenshots. | Users who hand found USB drives to IT rather than plugging them in. Endpoint controls that block unauthorised removable media. |
The most important metric from a social engineering assessment isn't the click rate or the compromise rate — it's the report rate. An organisation where 20% of people click but 80% report the phish within 10 minutes has a strong security culture. An organisation where 5% click but nobody reports it has a dangerous one — because in a real attack, that unreported 5% is the attacker's foothold.
| Type | Targets | Approach | Typical Duration | Essential When... |
|---|---|---|---|---|
| External | Internet-facing IPs, services, perimeter | Black box | 3–5 days | You have anything connected to the internet |
| Internal | LAN, Active Directory, servers, segmentation | Grey box (network access, standard user) | 5–10 days | You have on-premises or hybrid infrastructure |
| Web App | Applications, portals, APIs | Grey box (authenticated + unauthenticated) | 5–10 days per app | You operate any web-based application handling data |
| Mobile | iOS/Android apps and their API back-ends | Grey box (app binary + API access) | 5–8 days per platform | You have customer-facing mobile apps |
| Cloud | AWS / Azure / GCP configuration | White box (read-only console access) | 3–7 days per account | You host workloads in a public cloud |
| Wireless | Corporate, guest, and IoT Wi-Fi | On-site with specialist hardware | 2–3 days on-site | You have physical offices with Wi-Fi |
| Social Engineering | People — phishing, vishing, physical | Black box (realistic, unannounced) | 1–4 weeks | You have staff (which is everyone) |
No single test type covers everything. The right programme is a combination — chosen to match your environment, your threat landscape, and your maturity level.
| Mistake | Why It's Costly |
|---|---|
| External only, no internal | You've tested the front door but not the inside of the building. Most severe findings — and most real-world compromise paths — live on the internal network. |
| Web app tested, API ignored | The front-end is a skin. The API does the work. If you only test the skin, you miss the injection flaws, IDOR vulnerabilities, and authorisation bypasses in the API that powers it. |
| "We're in the cloud, we're secure" | The cloud provider doesn't configure your IAM policies, your storage permissions, or your network architecture. The shared responsibility model means your misconfigurations are your problem. |
| Never testing people | Phishing is the number one initial access vector in real attacks. If you've never tested your staff, you're defending against the least common attack paths while ignoring the most common one. |
| Scoping by price, not by risk | "What can we get for £5k?" is the wrong question. "What are we most worried about and how do we test that?" leads to an engagement that actually reduces risk rather than just producing a report. |
Penetration testing isn't one thing — it's seven (at least). External, internal, web application, mobile, cloud, wireless, and social engineering assessments each target a different layer, use different techniques, and find different vulnerabilities. No single type covers everything, and assuming otherwise creates blind spots that attackers will find.
The right approach is to match the test to the question. "Could someone on the internet break in?" is an external test. "What happens when a phishing email succeeds?" is an internal test. "Are our developers writing secure code?" is a web application test. "Would our staff recognise a targeted attack?" is a social engineering assessment.
Start with the layers most exposed and most valuable. Build from there. And always, always test the internal network — because the perimeter will fail eventually, and what matters then is what the attacker finds on the other side.
Every engagement starts with a free scoping call. We listen, we advise honestly, and we recommend only the tests that match your environment, your risk, and your budget — nothing more.