Gridware Logo

Types of Penetration Testing Explained: Web App, Network, Internal and External

Share:

TL;DR

There are several types of penetration testing, and choosing the wrong one means you’re testing the wrong thing. This post covers the main types: network, web application, internal, external, mobile, physical, and social engineering, plus guidance on which applies to your situation.

A business decides it needs a pen test. They request a quote. The provider asks: what’s the scope? What type? Most buyers don’t know how to answer.

That’s not a knowledge gap, it’s a common situation. Penetration testing covers a range of different methodologies targeting different parts of your environment. Choosing the right one depends on what you’re trying to validate. This post explains each type and helps you work out which one fits your context.

Network Penetration Testing

Network penetration testing covers your infrastructure: firewalls, switches, routers, and services exposed on the network. It tests whether an attacker can gain access through network-level vulnerabilities.

Network pen tests can be run in two ways.

External network testing simulates an attacker approaching from outside your network perimeter. The tester probes internet-facing assets, public IP addresses, and exposed services to see what can be reached and whether it can be exploited.

Internal network testing simulates an attacker who already has a foothold inside the network, via a compromised device, a phishing email, or a rogue insider. The tester attempts lateral movement, privilege escalation, and access to sensitive data from within the environment.

Most organisations need both. External testing tells you what’s exposed. Internal testing tells you what an attacker could do once they’re in.

External Penetration Testing

External penetration testing is the most common starting point for organisations that are new to pen testing. It simulates an attacker with no prior access who is probing your internet-facing assets.

The scope typically includes public IP addresses, internet-facing web applications, exposed ports and services, DNS infrastructure, and email security configuration. The objective is to determine whether an external attacker can gain access to your environment without any insider knowledge.

External testing is a baseline requirement in most insurance and compliance contexts. It’s where most organisations should start.

Internal Penetration Testing

Internal penetration testing assumes an attacker has already gained initial access. The test starts from inside the network, typically simulating a compromised end-user device or a credential obtained through phishing.

The tester attempts to move laterally through the network, escalate privileges, access sensitive systems and data, and demonstrate the full extent of what an attacker with that initial foothold could achieve.

Internal testing has become increasingly important given the pattern of real-world breaches. Most significant breaches don’t involve attackers battering through the perimeter. They involve initial access (often through phishing or a compromised credential) followed by weeks or months of quiet lateral movement before the main damage is done. Internal testing validates your ability to detect and stop that pattern.

Web Application Penetration Testing

Web application penetration testing focuses specifically on web applications rather than network infrastructure. It’s a different methodology targeting a different attack surface.
The test covers authentication and session management, injection vulnerabilities (SQL injection, cross-site scripting, CSRF), business logic flaws, API security, and access control. Testing should align with the OWASP Top 10 as a minimum baseline.

The key distinction from automated vulnerability scanning is that manual testing finds logic flaws that automated tools miss. An automated scanner can find known injection points. A skilled tester can find a business logic flaw where, for example, changing a parameter in a request allows access to another user’s account, a vulnerability a scanner won’t detect.

Web application pen testing is mandatory for PCI DSS compliance if the application handles payment card data. It’s also appropriate for any externally facing application that handles sensitive customer data.

Mobile Application Penetration Testing

Mobile application testing covers iOS and Android applications. The test examines client-side data storage (sensitive data shouldn’t be stored insecurely on the device), data transmission security, authentication and session handling, and how the app communicates with its backend APIs.

This is relevant for any business with a customer-facing mobile application, particularly in financial services, healthcare, or retail where the app handles sensitive personal or financial data.

Physical Penetration Testing

Physical penetration testing tests whether physical security controls can be bypassed. This includes attempting to access secure areas by tailgating through controlled doors, bypassing badge readers, or locating and accessing unlocked workstations with network access.

This type of test is relevant for organisations with secure facilities, data centres, server rooms with physical access controls, or environments where physical access to systems poses a significant security risk.

Social Engineering Testing

Social engineering testing assesses whether your staff can be manipulated into disclosing credentials or granting access. It’s not a purely technical test, but it addresses one of the most common initial access vectors in real-world attacks.
Common methods include phishing simulations (targeted emails designed to capture credentials or deliver a payload), vishing (phone-based social engineering, typically impersonating IT support or a supplier), and pretexting (building a cover story to extract information).

Social engineering testing is often run alongside network or application testing as part of a broader assessment. Separately, phishing simulations are commonly run as part of ongoing security awareness programmes rather than as point-in-time tests.

Black Box, White Box, and Grey Box Testing

These terms describe how much information the tester is given at the start of the engagement.

Test TypeWhat the Tester KnowsWhen to Use It
Black BoxNothing upfront. Simulates an external attacker with no insider knowledgeTesting your external exposure as a real attacker would see it
White BoxFull access: documentation, source code, architecture diagrams, credentialsMost thorough; efficient for code review and application testing
Grey BoxPartial information: credentials, basic architecture, but not source codeSimulates an insider or partially informed attacker; common for web app testing

Grey box testing is the most common approach for web application and internal assessments. It’s more time-efficient than black box testing and produces more thorough results than starting completely blind.

Which Type Does Your Business Need?

Use this as a starting point.

  • Launching a new web application or API: web application penetration test.
  • Preparing for a government contract or Essential Eight assessment: external and internal network penetration testing.
  • Meeting an insurance requirement: external network test as a minimum; check your policy for specific requirements.
  • Post-breach validation: targeted internal test on the compromised scope to confirm the access vector has been closed.
  • Comprehensive risk assessment: combination of external, internal, and web application testing.
  • Customer-facing mobile app in healthcare or financial services: mobile application testing alongside web application testing.

 

A scoping call with a qualified provider will narrow this down further based on your specific environment, compliance obligations, and risk profile.

Conclusion

The right type of pen test depends on what you’re trying to find. If you’re not sure where to start, a scoping call with Gridware’s testing team will help you identify which assessment makes sense for your environment and obligations.

Frequently Asked Questions

The main types are: external network testing (internet-facing assets), internal network testing (lateral movement from inside the network), web application testing (web apps and APIs), mobile application testing (iOS and Android), physical testing (physical access controls), and social engineering testing (staff manipulation via phishing and other methods). Tests are also categorised by information level: black box, grey box, and white box.

External testing simulates an attacker approaching from outside your network with no prior access. It tells you what’s exposed and whether it can be exploited. Internal testing simulates an attacker who already has a foothold inside. It tells you what damage they could do through lateral movement and privilege escalation. Most organisations need both.

Black box means the tester has no prior information, simulating an external attacker. White box means full access to documentation, source code, and architecture for the most thorough coverage. Grey box provides partial information, typically credentials and basic architecture. Grey box is the most common approach for web application and internal assessments, balancing thoroughness with efficiency.

OWASP (Open Web Application Security Project) publishes the OWASP Top 10, a widely referenced list of the most critical web application security risks, covering vulnerabilities like SQL injection, broken authentication, and security misconfiguration. For web application pen testing, the OWASP Top 10 is a minimum testing baseline. An assessment that doesn’t address it is incomplete.

If your primary risk is internet-facing network infrastructure (firewalls, exposed services, public IPs), start with an external network test. If your primary risk is a web application or API, start with a web application test. If both are significant attack surfaces, you need both. A scoping call with a qualified tester will help prioritise based on your environment.

Vulnerability scanning uses automated tools to identify known weaknesses. It’s fast and can be run frequently. Penetration testing uses human testers who attempt to actually exploit vulnerabilities, chain findings together, and demonstrate real attack paths. Scanning tells you what vulnerabilities exist; testing shows what an attacker could do with them. Both have a role in a security programme.

An external network test for a mid-market environment typically takes three to five days of active testing. A web application test for a moderately complex application commonly takes five to ten days. Larger environments or assessments covering multiple test types take longer. Scoping, reporting, and retesting add time on top of the active phase.

Picture of Ahmed Khanji
Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. He is recognised for his insights into offensive security and emerging technologies such as blockchain, and often contributes to broader cybersecurity conversations across the country. With an extensive background as a security advisor to major Australian enterprises, Ahmed helps organisations navigate the evolving threat landscape with clarity and confidence.

Related Articles​

What Is a Managed Security Service Provider (MSSP)?

Managed Security vs In-House Security Team: Which Makes More Sense for Your Business?

How to Build a Cyber Incident Response Plan for Your Australian Business

Our services

We partner deeply with clients to understand their needs, working closely and iteratively to provide robust, best-in-class security solutions

Learn more about the team at forefront of the Australian Cyber Security scene.

Gridware team
Learn more about our renowned partners and awards.

Expert penetration testing

Incident investigation & remediation

Governance, Audits & Strategy

Simulate real attacks

Security-as-a-service

24x7x365 Security Operations Centre

Comprehensive & proactive security

Harness the benefits of cloud technology

End-to-end security suite

Swift, expert-led incident resolution

Resources

A collection of our published insights, whitepapers, customer success stories and more.

Resources

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

RSPCA logo
Nikon logo

Download our Cyber Governance Factsheet

Network Penetration Testing

Get a quote

Please fill out the form so we accurately can quote your project:

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.

Download our Incident Response Factsheet