A penetration test, commonly known as a pentest, goes beyond a vulnerability assessment by not just identifying potential security flaws but also actively exploiting them to assess the real -world risks involved. It could also be called ethical hacking. While a vulnerability assessment aims to provide a list of weaknesses that could be exploited, a pentest takes it a step further by simulating cyber attacks to gauge how effective current security measures really are. This helps organizations understand not only their vulnerabilities but also the potential impact of a successful breach, thereby offering a more holistic view of their cybersecurity landscape.

 

There are several types of test that we can perform 

The "White Box"

 

The tester has full knowledge of the system they are attacking. This type of access allows for a comprehensive evaluation of both external and internal security controls.

 

To simplify, think of a medical check-up, where the doctor has complete medical history and can therefore run very specific tests to evaluate health risks.

The "Gray Box"

​

This approach is a middle-ground methodology where the penetration tester has partial knowledge of the system's internal workings, often provided by the organization itself. This simulates an attack by an insider or an external attacker who has gained some level of authorized access.

 

Gray Box testing provides a balanced view of the system's security, as it allows for focused testing based on partial information, making it more time-efficient than a black box test while still offering a detailed security evaluation.

The "Black Box"

 

This is where I really get to test my hacking skills! This test simulates a real-world attack where the tester has no prior knowledge of the system. This mimics the conditions of an actual cyber attack from an external malicious actor.

 

Black Box testing offers an unbiased view of what a hacker can accomplish solely with publicly available information and without the advantages of insider knowledge. It's a crucial approach for identifying vulnerabilities that may be obvious to skilled hackers but may not be apparent during internal reviews.

​

The "Full Spectrum"

​

It is also possible to run a longer engagement that encompasses all three of the previous types of tests. This usually starts from the black box perspective and gradually progresses through the other phases in reverse order. This is the most comprehensive type of test that can be performed, and usually requires the most time.