Penetration Testing Overview

What is a Penetration Tester?

A Penetration Test is an organized, targeted, and authorized attack that tests a business/company's infrastructure, employees, and other technologies to determine security vulnerabilities. A penetration test uses real world techniques that malicious actors use to find vulnerabilities before those actors compromise the business's infrastructure.

External vs. Internal Penetration Test

External Pentest

The penetration test is performed external from the company's network. This tests the external network perimeter's security and is more realistic to how a malicious user would gain access. Certain pentests may also be purposely "noisy" to test the company's blue team.

Internal Pentest

The penetration test is performed from within the company's internal network. This stage may occur after a successful external pentest, or you may start from within the company's network.

Types of Pentests

Type Information Provided

Type	Information Provided
`Blackbox`	`Minimal`. Only the essential information, such as IP addresses and domains, is provided.
`Greybox`	`Extended`. In this case, we are provided with additional information, such as specific URLs, hostnames, subnets, and similar.
`Whitebox`	`Maximum`. Here everything is disclosed to us. This gives us an internal view of the entire structure, which allows us to prepare an attack using internal information. We may be given detailed configurations, admin credentials, web application source code, etc.
`Red-Teaming`	May include physical testing and social engineering, among other things. Can be combined with any of the above types.
`Purple-Teaming`	It can be combined with any of the above types. However, it focuses on working closely with the defenders.

Blackbox

Minimal. Only the essential information, such as IP addresses and domains, is provided.

Greybox

Extended. In this case, we are provided with additional information, such as specific URLs, hostnames, subnets, and similar.

Whitebox

Maximum. Here everything is disclosed to us. This gives us an internal view of the entire structure, which allows us to prepare an attack using internal information. We may be given detailed configurations, admin credentials, web application source code, etc.

Red-Teaming

May include physical testing and social engineering, among other things. Can be combined with any of the above types.

Purple-Teaming

It can be combined with any of the above types. However, it focuses on working closely with the defenders.

PreviousWhat is This?NextPenetration Testing Process

Last updated 9 months ago