Understanding your infrastructure and network vulnerabilities can be hugely beneficial with mapping out your overall security strategy. Giving you guidance on where best to focus valuable resource and budget.
Penetration testing (pen test) is a comprehensive test of your current IT Security infrastructure performed by highly skilled, ethical hackers. Penetration tests simulate a real-world attack testing your computer systems, network and applications for security weaknesses. Unlike a real attack, pen tests are conducted in an authorised, manner.
During a pen test the hacker will look for misconfigurations, outdated software and logical flaws with the sole aim to gain access. If successful, they will then look to escalate privileges and identify how far into the network they can go.
While penetration tests generally come under one umbrella, there are in fact different tests available. We help customers identify which method would be the most effective for their environment.
Penetration Testing Types
The core 3 tests include Infrastructure penetration testing, Application penetration testing and cloud penetration testing. However more bespoke tests might include mobile, wireless, open box, closed box and internal testing.
Infrastructure penetration testing
Infrastructure pen testing, also known as network pen testing, focuses on the hardware, firmware, and operating systems in your IT estate. This includes things like servers, network devices, and virtualized environments.
Application penetration testing
Application penetration tests focus on applications that are hosted on the underlying infrastructure, rather than the infrastructure itself. This could be web apps and APIs, or it could be mobile apps, such as iOS and Android penetration testing.
Cloud penetration testing
Cloud penetration testing audits the security of your cloud-based infrastructure, applications and services. AWS, Azure and GCP-hosted systems are the most commonly tested.
- Identify security vulnerabilities
- Help prioritse and build your overall Cyber strategy
- Prevent hackers from Infiltrating systems
- Avoid heavy costs from data breaches and/or business operations
- Comply with regulations
- Protect your supply chain and brand
- Follow Security best practise
Talk to a Cyber Advisor
Our Cyber Advisors can agree the right penetration test for your organisation, request a call back to speak to us about your requirements
Internal vs External
Internal infrastructure or authenticated application tests simulate the damage a malicious attacker could do if they were to breach your network perimeter or phish login credentials for an application. It is a much more involved test, and also models the impact of a rogue employee or other insider threat.
External infrastructure or unauthenticated application tests explore what damage a malicious hacker could achieve without privileged access. It is a quicker test that models the more common ‘opportunistic’ type threat actor.
Choose your box colour?
When defining a penetration test, it is important to define how much information is disclosed up-front, also known as the box colour:
A black box test is where almost nothing is known about the target environment ahead of the test. Whilst this positions the tester in a similar position to a real-world hacker, it means precious test time is wasted on simple discovery tasks.
There is also a middle option; as the name implies, a grey box test is a mix of white and black box tests, where the pen tester has limited information about the target environment. This is a ‘best-of-both-worlds’ approach and often leads to tests with the best – and most cost effective – outcomes.
A white box test is where everything about the environment, possibly even the source code, is known by the pen tester ahead of the test. Whilst this has the potential to make for a very thorough test, it is not reflective of a real-world hack, and can cause the scope to become diluted.
Need to conduct a Pentest? Speak to our team and we can scope out your requirements and sit you down with one of our certified ethical hackers to uncover your weaknesses…
Whist your here, why not also discuss the latest in Breach and Attack Simulation Tools, or ask us about Penetration Testing as a Service (PTaaS) where we can automate traditional testing and reporting.