TL;DR
There are several types of penetration testing, and choosing the wrong one means you’re testing the wrong thing. This post covers the main types: network, web application, internal, external, mobile, physical, and social engineering, plus guidance on which applies to your situation.
A business decides it needs a pen test. They request a quote. The provider asks: what’s the scope? What type? Most buyers don’t know how to answer.
That’s not a knowledge gap, it’s a common situation. Penetration testing covers a range of different methodologies targeting different parts of your environment. Choosing the right one depends on what you’re trying to validate. This post explains each type and helps you work out which one fits your context.
Network Penetration Testing
Network penetration testing covers your infrastructure: firewalls, switches, routers, and services exposed on the network. It tests whether an attacker can gain access through network-level vulnerabilities.
Network pen tests can be run in two ways.
External network testing simulates an attacker approaching from outside your network perimeter. The tester probes internet-facing assets, public IP addresses, and exposed services to see what can be reached and whether it can be exploited.
Internal network testing simulates an attacker who already has a foothold inside the network, via a compromised device, a phishing email, or a rogue insider. The tester attempts lateral movement, privilege escalation, and access to sensitive data from within the environment.
Most organisations need both. External testing tells you what’s exposed. Internal testing tells you what an attacker could do once they’re in.
External Penetration Testing
External penetration testing is the most common starting point for organisations that are new to pen testing. It simulates an attacker with no prior access who is probing your internet-facing assets.
The scope typically includes public IP addresses, internet-facing web applications, exposed ports and services, DNS infrastructure, and email security configuration. The objective is to determine whether an external attacker can gain access to your environment without any insider knowledge.
External testing is a baseline requirement in most insurance and compliance contexts. It’s where most organisations should start.
Internal Penetration Testing
Internal penetration testing assumes an attacker has already gained initial access. The test starts from inside the network, typically simulating a compromised end-user device or a credential obtained through phishing.
The tester attempts to move laterally through the network, escalate privileges, access sensitive systems and data, and demonstrate the full extent of what an attacker with that initial foothold could achieve.
Internal testing has become increasingly important given the pattern of real-world breaches. Most significant breaches don’t involve attackers battering through the perimeter. They involve initial access (often through phishing or a compromised credential) followed by weeks or months of quiet lateral movement before the main damage is done. Internal testing validates your ability to detect and stop that pattern.
Web Application Penetration Testing
Web application penetration testing focuses specifically on web applications rather than network infrastructure. It’s a different methodology targeting a different attack surface.
The test covers authentication and session management, injection vulnerabilities (SQL injection, cross-site scripting, CSRF), business logic flaws, API security, and access control. Testing should align with the OWASP Top 10 as a minimum baseline.
The key distinction from automated vulnerability scanning is that manual testing finds logic flaws that automated tools miss. An automated scanner can find known injection points. A skilled tester can find a business logic flaw where, for example, changing a parameter in a request allows access to another user’s account, a vulnerability a scanner won’t detect.
Web application pen testing is mandatory for PCI DSS compliance if the application handles payment card data. It’s also appropriate for any externally facing application that handles sensitive customer data.
Mobile Application Penetration Testing
Mobile application testing covers iOS and Android applications. The test examines client-side data storage (sensitive data shouldn’t be stored insecurely on the device), data transmission security, authentication and session handling, and how the app communicates with its backend APIs.
This is relevant for any business with a customer-facing mobile application, particularly in financial services, healthcare, or retail where the app handles sensitive personal or financial data.
Physical Penetration Testing
Physical penetration testing tests whether physical security controls can be bypassed. This includes attempting to access secure areas by tailgating through controlled doors, bypassing badge readers, or locating and accessing unlocked workstations with network access.
This type of test is relevant for organisations with secure facilities, data centres, server rooms with physical access controls, or environments where physical access to systems poses a significant security risk.
Social Engineering Testing
Social engineering testing assesses whether your staff can be manipulated into disclosing credentials or granting access. It’s not a purely technical test, but it addresses one of the most common initial access vectors in real-world attacks.
Common methods include phishing simulations (targeted emails designed to capture credentials or deliver a payload), vishing (phone-based social engineering, typically impersonating IT support or a supplier), and pretexting (building a cover story to extract information).
Social engineering testing is often run alongside network or application testing as part of a broader assessment. Separately, phishing simulations are commonly run as part of ongoing security awareness programmes rather than as point-in-time tests.
Black Box, White Box, and Grey Box Testing
These terms describe how much information the tester is given at the start of the engagement.
| Test Type | What the Tester Knows | When to Use It |
| Black Box | Nothing upfront. Simulates an external attacker with no insider knowledge | Testing your external exposure as a real attacker would see it |
| White Box | Full access: documentation, source code, architecture diagrams, credentials | Most thorough; efficient for code review and application testing |
| Grey Box | Partial information: credentials, basic architecture, but not source code | Simulates an insider or partially informed attacker; common for web app testing |
Grey box testing is the most common approach for web application and internal assessments. It’s more time-efficient than black box testing and produces more thorough results than starting completely blind.
Which Type Does Your Business Need?
Use this as a starting point.
- Launching a new web application or API: web application penetration test.
- Preparing for a government contract or Essential Eight assessment: external and internal network penetration testing.
- Meeting an insurance requirement: external network test as a minimum; check your policy for specific requirements.
- Post-breach validation: targeted internal test on the compromised scope to confirm the access vector has been closed.
- Comprehensive risk assessment: combination of external, internal, and web application testing.
- Customer-facing mobile app in healthcare or financial services: mobile application testing alongside web application testing.
A scoping call with a qualified provider will narrow this down further based on your specific environment, compliance obligations, and risk profile.
Conclusion
The right type of pen test depends on what you’re trying to find. If you’re not sure where to start, a scoping call with Gridware’s testing team will help you identify which assessment makes sense for your environment and obligations.
Frequently Asked Questions
What are the main types of penetration testing?
The main types are: external network testing (internet-facing assets), internal network testing (lateral movement from inside the network), web application testing (web apps and APIs), mobile application testing (iOS and Android), physical testing (physical access controls), and social engineering testing (staff manipulation via phishing and other methods). Tests are also categorised by information level: black box, grey box, and white box.
What is the difference between internal and external penetration testing?
External testing simulates an attacker approaching from outside your network with no prior access. It tells you what’s exposed and whether it can be exploited. Internal testing simulates an attacker who already has a foothold inside. It tells you what damage they could do through lateral movement and privilege escalation. Most organisations need both.
What is black box vs white box vs grey box testing?
Black box means the tester has no prior information, simulating an external attacker. White box means full access to documentation, source code, and architecture for the most thorough coverage. Grey box provides partial information, typically credentials and basic architecture. Grey box is the most common approach for web application and internal assessments, balancing thoroughness with efficiency.
What is OWASP and why does it matter for web application pen testing?
OWASP (Open Web Application Security Project) publishes the OWASP Top 10, a widely referenced list of the most critical web application security risks, covering vulnerabilities like SQL injection, broken authentication, and security misconfiguration. For web application pen testing, the OWASP Top 10 is a minimum testing baseline. An assessment that doesn’t address it is incomplete.
Do I need a network pen test or a web application pen test?
If your primary risk is internet-facing network infrastructure (firewalls, exposed services, public IPs), start with an external network test. If your primary risk is a web application or API, start with a web application test. If both are significant attack surfaces, you need both. A scoping call with a qualified tester will help prioritise based on your environment.
What is the difference between penetration testing and vulnerability scanning?
Vulnerability scanning uses automated tools to identify known weaknesses. It’s fast and can be run frequently. Penetration testing uses human testers who attempt to actually exploit vulnerabilities, chain findings together, and demonstrate real attack paths. Scanning tells you what vulnerabilities exist; testing shows what an attacker could do with them. Both have a role in a security programme.
How long does a penetration test take?
An external network test for a mid-market environment typically takes three to five days of active testing. A web application test for a moderately complex application commonly takes five to ten days. Larger environments or assessments covering multiple test types take longer. Scoping, reporting, and retesting add time on top of the active phase.