Precursor Security
6 Types Explained

Which Penetration Test
Do You Actually Need?

There are six penetration testing types defined by their target (network, web app, mobile, cloud, wireless, social engineering) and three testing approaches (black box, white box, grey box) defined by how much information your tester receives. Understanding both dimensions is how you avoid the most common and expensive pen testing mistake: commissioning the wrong test.

Scope Your TestView Pricing
CREST Accredited
UK-Based Testers
100% Human Testing
Fixed Pricing
Scroll
Penetration Testing Types

Six targets. Three approaches. One decision framework.

The six types below are defined by what is tested (your network, your web application, your cloud environment). The three approaches further below are defined by how much context the tester is given (black box, white box, grey box). Both dimensions matter when scoping a penetration testing engagement. Select any card to explore the full service.

Network Penetration Testing

Find the paths an attacker would take through your network before they do.

Firewalls and routers
Active Directory
Servers and workstations
Network segmentation
PCI DSS 11.3ISO 27001CE Plus
Explore this test

Web Application Testing

The test clients and auditors ask for before they trust your application with their data.

Login and auth flows
User input fields
APIs and integrations
Session management
ISO 27001 A.14SOC 2PCI DSS 6.4
Explore this test

Mobile App Testing

iOS and Android security assessment before your users bear the risk.

Data storage
Cryptography
Network traffic
Backend APIs
OWASP Mobile Top 10ISO 27001DSP Toolkit
Explore this test

Cloud Penetration Testing

AWS, Azure, and GCP testing that goes beyond what your scanner already tells you.

IAM policies
Storage buckets
Compute instances
Serverless functions
ISO 27001SOC 2CSA CCM
Explore this test

Wireless Penetration Testing

Wi-Fi and radio frequency assessment for on-premises environments.

Access points
Encryption protocols
Guest networks
Bluetooth and RF
CE PlusPCI DSSISO 27001
Explore this test

Social Engineering Testing

Phishing, vishing, and physical access testing to measure your human layer.

Email security
Employee awareness
Physical access
Helpdesk procedures
ISO 27001 A.7CENIST CSF
Explore this test

Not sure which test you need?

Our CREST-certified consultants will walk you through the options at no charge and with no obligation, so you can go back to your manager with a clear recommendation and a written scope.

Speak to an Expert
Avg response: 15m
Testing Approaches

Black Box vs White Box vs Grey Box

Your auditor asked about your testing approach. These three apply to any of the six test types above. The difference is how much context the tester is given before they begin.

Approach 01

Black Box

No information is given to the tester. Simulates an external attacker who has done no prior reconnaissance on your environment.

Best forRealistic threat simulation, regulatory audits requiring zero-knowledge testing
Compliance
CREST CHECKCBESTTIBER-EU
CostHigher: more time required to enumerate
Approach 02Recommended

Grey Box

Partial information: user credentials, API documentation, basic network diagrams. Balances realism with efficiency. The recommended default for first and annual tests.

Best forMost commercial engagements: the recommended default
Compliance
PCI DSSCE PlusISO 27001
CostMost cost-effective: recommended starting point
Approach 03

White Box

Full access to documentation, source code, architecture diagrams, and credentials. Maximum coverage in minimum time.

Best forDevelopment-stage testing, code review integration, maximum coverage
Compliance
ISO 27001 A.14SDLC
CostMore efficient: faster to comprehensive coverage

Which approach should you specify?

For most organisations commissioning their first or annual test, grey box is the recommended default. It gives the tester enough context to go deeper, faster, without the artificial constraints of a pure zero-knowledge exercise. Black box is appropriate when you need to demonstrate to a regulator that your controls hold against a realistic external attacker. White box is most valuable during development or when you want maximum vulnerability coverage in a fixed timeframe.

Decision Tool

Which Test Fits Your Situation?

Match your environment to the right assessment. If you span multiple categories, a combined engagement is usually the most cost-effective option.

SituationYou have a customer-facing web application or API
RecommendedWeb Application Penetration Test
ComplianceSOC 2ISO 27001 A.14PCI DSS 6.4
SituationYou have on-premises servers and Active Directory
RecommendedInternal Network Penetration Test
CompliancePCI DSS 11.3ISO 27001CE Plus
SituationA client security questionnaire asks how you protect user data
RecommendedWeb Application + Cloud combination
ComplianceSOC 2Vendor Due Diligence
SituationYou are running production workloads in AWS, Azure, or GCP
RecommendedCloud Penetration Test
ComplianceISO 27001SOC 2CSA CCM
SituationYour auditor asked whether your test was black box or white box
RecommendedGrey Box (recommended default)
CompliancePCI DSSCE PlusISO 27001
SituationThis is your first penetration test
RecommendedFree scoping call with a CREST consultant
ComplianceAll frameworks

What to specify in your penetration testing requirements

When writing penetration testing requirements, specify:

  • The test type by name
  • The testing approach (black, white, or grey box)
  • The scope (number of IP addresses, URLs, or user roles)
  • The deliverable format (executive summary and technical report)

Precursor provides all four in writing before testing begins.

After Testing

Testing is point-in-time.
Monitoring is continuous.

Pair any test type with our 24/7 Managed SOC. We feed your pentest findings directly into custom detection rules, actively hunting for exploitation between annual assessments.

Explore 24/7 Monitoring

24/7 Threat Hunting

Continuous monitoring of your entire perimeter.

Custom SOC Rules

Alerts tuned to your specific pentest findings.

Real-time Containment

Immediate isolation before lateral movement.

Board Assurance

Prove identified risks are actively monitored.

Free Scoping Call

Scope the Right Test

Tell us your environment, compliance requirements, and what triggered the need. We will recommend the right test type and approach in writing, with a fixed-price proposal within 24 hours.

Speak to a Consultant
View Pricing Guide
CREST Certified
Fixed Pricing
30-Day Retest

Frequently Asked Questions

Common questions about penetration testing types, approaches, and how to choose the right assessment.

There are six main types of penetration testing defined by their target: network, web application, mobile application, cloud, wireless, and social engineering. Additionally, each test type can be conducted using one of three approaches (black box, white box, or grey box) depending on how much information the tester is given about your environment.

The three testing approaches (sometimes called types) in penetration testing are black box, white box, and grey box. Black box testing simulates an external attacker with no prior knowledge of your systems. White box testing gives the tester full access to documentation, source code, and credentials. Grey box testing provides partial information, typically user credentials or basic network diagrams, and is the most common approach for commercial engagements.

In black box penetration testing, the tester is given no prior information about your systems and must enumerate and attack your environment as an external attacker would. In white box penetration testing, the tester is given full access to documentation, architecture diagrams, source code, and credentials, enabling maximum coverage in minimum time. Grey box testing is a hybrid approach and is the most widely used in commercial pen testing engagements.

PCI DSS Requirement 11.3 requires both internal and external network penetration testing, as well as testing of segmentation controls. Web application penetration testing is also required if your cardholder data environment includes web-facing applications. Most PCI DSS pen tests are conducted using a grey box approach, with testing conducted at least annually or after significant infrastructure changes.

For most organisations, a web application penetration test (from £3,500) is the best starting point. It covers the attack surface most likely to be targeted by opportunistic attackers and satisfies most client vendor questionnaires, Cyber Essentials Plus, and PCI DSS Requirement 6.6. If you have on-premises infrastructure, pair it with an internal network test.

UK penetration testing costs between £2,500 and £30,000+ depending on scope and test type. A web application test costs £3,500 to £8,000. An external network test costs £2,500 to £10,000+. An internal network test costs £5,000 to £15,000. A full security assessment costs £15,000 to £30,000+. All Precursor engagements are fixed-price.