Introduction to Pentesting (FAQ)

In general, there are different ways to categorize penetration tests: by their objective and by the amount of information provided by the client. The latter is sometimes also referred to as the penetration test methodology, but this is misleading. The methodology actually describes how the penetration tester proceeds – meaning according to which standard or with what technical process the penetration test itself is conducted.

The amount of information provided is typically classified into Black Box, Gray Box, and White Box testing. In a Black Box penetration test, the tester receives no information from the client, aside from a rough target. In a White Box penetration test, the tester is given full insight into systems, architecture, source code, etc. In a Gray Box penetration test – which is the most commonly used approach – the tester receives more information than would be publicly available. The idea behind this is to enable an effective and efficient execution of the penetration test. For example, during a web application test, the penetration tester might try to guess which database is used. The client can simply inform the tester (even just upon request), saving time and allowing for more targeted testing.

Penetration tests can also be categorized based on the attack vector. Typically, a distinction is made between external and internal penetration tests. An external penetration test is conducted from outside, via the Internet, while an internal penetration test – as you might expect – is carried out from a point inside the company's network. Generally, it is recommended to first perform an external penetration test due to the higher exposure and then follow up with an internal test. However, it is often during internal penetration tests that the most serious security vulnerabilities are discovered.

Most companies that regularly perform penetration tests opt for an annual cycle. On one hand, various standards require annual testing; on the other hand, an annual penetration test can be easily integrated into budget planning. Conducting a penetration test every nine months, for example, would be difficult to align with financial planning. A semi-annual schedule — meaning two tests per year — is often too expensive for most.

However, there are companies that conduct penetration tests twice a year, focusing on different aspects each time. From a security and risk management perspective, it would be ideal to perform a penetration test after every significant system change. In practice, however, this often fails due to limited personnel and financial resources.

A Vulnerability Scan is an automated tool that scans web applications, systems, or networks for known vulnerabilities, such as outdated software, missing patches, or misconfigurations. In practice, you input target information (like IP addresses or domain names), click "SCAN," and receive a report listing the identified vulnerabilities. These scans are fully automated and typically limited to detecting previously discovered issues in software components.

A Penetration Test, on the other hand, is a simulated attack on web applications, systems, or networks, also aimed at identifying vulnerabilities. However, it is conducted manually by an experienced penetration tester, who uses a wide range of tools, advanced attack techniques, and a structured testing methodology. This approach makes it possible to uncover new or complex vulnerabilities and potentially exploit them—depending on the defined scope of the test.