Penetration Testing · · 8 min read

Types of Penetration Testing [Complete Guide]

penetration testing pentest types security testing

The main types of penetration testing are external network, internal network, web application, API, mobile application, social engineering, cloud security and red team assessments. Each type targets a different part of your attack surface and uses specialized methodologies. Sherlock Forensics offers all types of penetration testing starting at $1,500 CAD.

What are the types of penetration testing?

  • External network penetration testing
  • Internal network penetration testing
  • Web application penetration testing
  • API penetration testing
  • Mobile application penetration testing
  • Social engineering and phishing
  • Cloud security testing
  • Red team assessment

Each type of penetration test targets a specific attack surface using specialized tools and methodologies. Most organizations need more than one type, depending on their infrastructure and risk profile. Here is what each type involves and when you need it.

External Network Penetration Testing

An external network penetration test targets your internet-facing infrastructure: public IP addresses, firewalls, mail servers, DNS servers, VPN gateways and any other services accessible from the internet. The tester simulates an attacker with no prior access who is probing your perimeter defenses from the outside.

You need an external network pentest if your organization has any public-facing infrastructure. This is the most fundamental type of penetration test and the starting point for most organizations. External pentests identify misconfigured services, unpatched software, weak encryption, exposed management interfaces and other perimeter weaknesses. At Sherlock Forensics, external network testing starts at $3,000 CAD.

Internal Network Penetration Testing

An internal network penetration test simulates an attacker who has already gained access to your internal network, perhaps through a phished employee, a compromised VPN credential or a rogue insider. The tester operates from inside your network perimeter and attempts to escalate privileges, move laterally between systems and access sensitive data.

You need an internal network pentest if you have an office network, Active Directory environment or internal services that should only be accessible to authorized employees. This type of test reveals weaknesses in network segmentation, privilege escalation paths, insecure internal services and credential management practices. Internal testing requires either on-site presence or a secure VPN connection.

Web Application Penetration Testing

Web application penetration testing focuses specifically on your web applications: the login pages, dashboards, forms, file uploads, search functions, payment flows and every other feature that users interact with through a browser. This is the most common type of penetration test because web applications represent the largest attack surface for most organizations.

The tester follows the OWASP Testing Guide methodology, checking for injection vulnerabilities, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfigurations, cross-site scripting, insecure deserialization and more. Manual testing of business logic is critical because automated scanners cannot understand your application's intended behavior. Web application pentests at Sherlock Forensics start at $1,500 CAD for quick audits.

API Penetration Testing

API penetration testing examines the application programming interfaces that your frontend, mobile app and third-party integrations use to exchange data. APIs are increasingly the primary attack surface because they handle authentication, data retrieval and business logic, often with less security scrutiny than the web frontend.

You need API testing if your application has a REST API, GraphQL API or any programmatic interface. Common API vulnerabilities include broken object-level authorization (accessing other users' data by changing IDs), excessive data exposure (API responses that include more data than the frontend displays), lack of rate limiting and missing authentication on internal endpoints. Many of the vulnerabilities we find exist exclusively at the API layer and would not be discovered through web application testing alone.

Mobile Application Penetration Testing

Mobile application penetration testing examines iOS and Android applications for security vulnerabilities. This includes analyzing the application binary, examining local data storage, testing network communications, evaluating authentication mechanisms and checking for sensitive data leakage.

You need mobile testing if your organization has a mobile app that handles sensitive data or business functions. Mobile-specific risks include insecure local storage (credentials stored in plaintext on the device), certificate pinning bypass, hardcoded secrets in the application binary, insecure inter-process communication and data leakage through clipboard, screenshots and backups.

Social Engineering and Phishing

Social engineering testing evaluates your organization's human defenses. The most common form is a simulated phishing campaign where the testing team sends realistic phishing emails to employees and measures who clicks, who enters credentials and who reports the attempt.

You need social engineering testing if your organization has employees with access to sensitive systems or data. Phishing remains the most common initial access vector for real-world breaches. Testing reveals which employees are susceptible, whether your email security controls catch malicious messages and whether your security awareness training is effective. Social engineering can also include vishing (phone-based attacks), physical access attempts and pretexting.

Cloud Security Testing

Cloud security testing examines your AWS, Azure or Google Cloud infrastructure for misconfigurations, overly permissive IAM policies, exposed storage buckets, insecure serverless functions and other cloud-specific vulnerabilities. The cloud shared responsibility model means your cloud provider secures the infrastructure, but you are responsible for securing your configuration.

You need cloud security testing if your infrastructure runs on any public cloud platform. Common findings include S3 buckets with public read access, IAM roles with excessive permissions, security groups that allow unrestricted inbound access, unencrypted databases and logging configurations that miss critical events. Cloud misconfigurations are responsible for a significant percentage of data breaches.

Red Team Assessment

A red team assessment is the most comprehensive and adversarial form of security testing. A team of senior security professionals simulates a sophisticated, targeted attack against your organization over weeks or months. The red team uses any combination of technical exploitation, social engineering, physical access and custom tooling to achieve defined objectives such as accessing the CEO's email, exfiltrating customer data or disrupting critical business processes.

You need a red team assessment if your organization has a mature security program and wants to test its detection and response capabilities, not just find vulnerabilities. Red teaming answers the question: "If a determined, skilled attacker targeted us specifically, would we detect them and how far would they get?" Red team engagements at Sherlock Forensics start at $25,000 CAD and run 4 to 8 weeks.

Choosing the Right Type

Selecting the right type of penetration test depends on your organization's attack surface and risk profile:

  • Startup with a web app: Web application pentest, possibly with API testing. Start at $1,500 CAD.
  • SaaS company: Web application, API and cloud security testing. $3,000 to $10,000 CAD.
  • Company with offices: External and internal network testing, plus social engineering. $10,000 to $25,000 CAD.
  • Enterprise with mature security: Red team assessment combining multiple attack vectors. $25,000 to $50,000+ CAD.

Not sure which type you need? Contact Sherlock Forensics for a free scoping consultation. We will assess your attack surface and recommend the right combination of testing for your risk profile and budget.

People Also Ask

Which type of pentest do I need?

If you have a web application with user accounts, start with a web application penetration test. If you also have APIs, add API testing. If you need compliance like SOC 2, you likely need both external and internal network testing. For organizations with mature security programs, a red team assessment tests detection and response capabilities. Sherlock Forensics can scope the right test for your needs.

What is red teaming?

Red teaming is an advanced form of security testing where a team of professionals simulates a sophisticated real-world attack against your organization over weeks or months. Unlike a standard pentest that focuses on finding vulnerabilities, a red team assessment tests your security team's ability to detect, respond to and contain an active threat using any combination of technical, social and physical attacks.

How is API testing different?

API penetration testing focuses specifically on your application programming interfaces, the endpoints that your frontend, mobile app and third-party integrations use to exchange data. API testing examines authentication mechanisms, authorization controls, input validation, rate limiting, data exposure and business logic flaws that are unique to API architectures and invisible to web-only testing.