Types of Penetration Testing: A Complete Overview of Every Service Type

Penetration testing is not a single service. It encompasses a range of specialised assessment types, each designed to evaluate different parts of your technology stack. Understanding the options helps you scope the right tests for your environment, budget, and risk profile.

Web Application Penetration Testing

Web application testing is the most commonly requested type. It focuses on identifying vulnerabilities in web-based applications, including authentication and session management flaws, injection vulnerabilities (SQL injection, XSS, command injection), authorisation and access control issues, business logic flaws, and insecure data handling.

Testers typically follow the OWASP Testing Guide methodology and evaluate the application from an attacker's perspective. This includes testing how the application handles malicious input, whether users can escalate their privileges, and whether sensitive data is properly protected in transit and at rest.

Web application testing is recommended for any organisation with customer-facing web applications, internal portals, or SaaS platforms. The complexity and cost scale with the number of user roles, features, and integrations.

Network Penetration Testing

Network testing evaluates your infrastructure from a network perspective. It comes in two main varieties.

External network testing assesses your perimeter defences from the internet. Testers target public-facing systems, firewalls, VPNs, mail servers, and DNS infrastructure to identify vulnerabilities that an external attacker could exploit to gain initial access.

Internal network testing simulates a threat actor who has already gained a foothold inside your network, perhaps through a compromised employee workstation, phishing attack, or physical access. Testers attempt to escalate privileges, move laterally between systems, and access sensitive resources. Active Directory testing is often a major component.

Most organisations benefit from both external and internal testing. External tests assess your perimeter, while internal tests reveal what an attacker could do after getting inside.

Mobile Application Penetration Testing

Mobile application testing evaluates iOS and Android apps for vulnerabilities specific to the mobile platform. This includes insecure data storage on the device, weak or missing certificate pinning, insecure inter-process communication, hardcoded credentials or API keys in the app binary, vulnerabilities in the backend API, and reverse engineering risks.

Testers typically follow the OWASP Mobile Testing Guide. Each platform (iOS and Android) is usually scoped and priced separately, as they have different security models and vulnerability classes.

API Penetration Testing

As applications increasingly rely on APIs, dedicated API testing has become essential. This covers REST APIs, GraphQL endpoints, SOAP web services, and microservice architectures. Testers evaluate authentication and authorisation mechanisms, input validation, rate limiting, data exposure through verbose responses, and business logic flaws in API workflows.

API testing often overlaps with web application testing, but a dedicated API test goes deeper into the API layer and is particularly important for organisations offering APIs to third parties.

Cloud Security Assessment

Cloud assessments evaluate the security of your cloud infrastructure on platforms like AWS, Azure, and GCP. This includes identity and access management configuration, storage bucket and blob permissions, network security group rules, encryption settings, logging and monitoring configuration, and serverless function security.

Cloud assessments require testers with specific cloud platform expertise. A skilled AWS tester may not have the same depth of knowledge on Azure, so match the provider's cloud experience to your environment.

Wireless Penetration Testing

Wireless testing evaluates your WiFi networks and related wireless infrastructure. Testers assess encryption strength, authentication mechanisms, rogue access point detection, guest network isolation, and the potential for attackers to intercept wireless traffic.

This type of testing typically requires on-site presence, though some aspects can be assessed remotely.

Social Engineering Assessment

Social engineering tests evaluate the human element of your security. Common approaches include phishing simulations (email-based attacks targeting employees), vishing (phone-based social engineering), physical social engineering (attempting to gain unauthorised physical access), and USB drop attacks.

These assessments are valuable for testing security awareness and the effectiveness of your training programmes. They are often combined with technical testing in red team engagements.

Red Team Engagement

Red teaming is the most comprehensive and realistic form of offensive security testing. A red team simulates a sophisticated attacker using any combination of technical exploitation, social engineering, and physical access to achieve specific objectives, such as accessing a particular database or compromising a key executive's account.

Red team engagements are typically multi-week exercises with fewer constraints than standard penetration tests. They test not just your vulnerabilities, but your detection and response capabilities. They are most appropriate for mature organisations that have already addressed the basics through standard penetration testing.

IoT and Embedded Device Testing

IoT testing evaluates the security of connected devices, including firmware analysis, hardware interfaces (JTAG, UART), communication protocols (Bluetooth, Zigbee, LoRa), cloud backends, and mobile companion apps. This is a specialised field requiring specific hardware skills and tooling.

OT and SCADA Testing

Operational technology testing focuses on industrial control systems, SCADA environments, and critical infrastructure. This requires deep specialist knowledge and extreme care, as disruption to these systems can have physical safety implications.

Choosing the Right Tests

Start with your threat model. What are your critical assets? Where do you face the greatest risk? If you have a customer-facing web application, web application testing should be your first priority. If you have a large internal network, combine external and internal network testing. If you process payments, PCI DSS will dictate specific testing requirements.

Browse our service pages to learn more about each type, or use our provider directory to find companies that specialise in the specific testing types you need.