What is penetration testing?

Note: This blog post was originally published on May 11, 2022, and was reviewed, optimized, and updated by internal experts on Dec. 15, 2023.

Oro provides content designed to educate and help audiences on their compliance journey.

Penetration testing, also known as pentesting, is a form of “ethical hacking.” Is your business prepared to be hacked? There is only one way to find out—and it might be by hacking yourself.

Pentesting is a process where testers attempt to access or exploit vulnerabilities in your organization’s computer system, network, website, and applications. Pentesting acts as a simulated cyberattack, aiming to evaluate the effectiveness of your organization’s security measures and let you know if you need to make any improvements.

Pentesters are ethical hackers who perform this simulated attack internally or externally, manually or automatically. The opportunities for improvement they uncover should prevent any real hackers from finding weaknesses and security issues in your system.

There are multiple different types of pentesting, and each penetration test has its own advantages. Depending on what industry your organization is in and what goals you have for the test, you will perform a different type of test for the results you’re looking for.

What are the three types of pentesting?

There are three categories of penetration tests, which range from complete surprise and disruption to planned testing with an internal partner who performs pentests. 

Black box pentest

With these external penetration tests, no data is provided to the tester or company conducting the testing. This type of test most closely represents a real-world scenario.  The attacker attempts to find holes and/or exploitable weaknesses in applications, architecture, configurations, API endpoints, and humans (via social engineering) to gain access to the environment.  

White box pentest

And finally, an internal, white box test—which is the softest approach when testing your security infrastructure. This test includes full disclosure of network and application architecture, IP addresses, and credentials. The test fully simulates a targeted attack with almost no system disruption.

Grey box pentest

During gray box testing, the tester will have partial access to the internal network or web application. This can be provided by making the tester a domain administrator or giving them software code and system architecture diagrams.

In most cases, only a set of login credentials for computer systems is provided. This strikes a balance between depth and efficiency. As most real-world scenarios include the attacker doing reconnaissance, a grey box test can be efficient and authentic.

The main advantage of gray box testing is the reporting provides a more focused and efficient assessment of your network’s security. Instead of a trial and error approach, gray pentesters can more easily identify weak spots in the network from the inside. From there, they can strategize ways to fill the gaps.

Person writes a math formula on the whiteboard to calculate ISO 27001 certification cost
Recommended for you
Calculate the costs of ISO 27001 certification

Working toward ISO 27001 compliance takes an investment of time and resources. How much can depend on the scale of your organization.

ISO 27001 Cost icon-arrow-long

Pentest costs

Penetration tests are priced based on scope. This includes variables like: 

  • The number of external endpoints, API and IP addresses, 
  • The scope of configuration density,
  • Re-testing, time for remediation and mitigation,
  • Depth of application testing, and
  • Source code review.

Now that we’ve discussed the various ways of pentesting let’s discuss the five steps of penetration testing your tester should go through.

What are the five steps to penetration testing?

The pentesting process can be broken down into the following five steps:

1. Planning & reconnaissance 

During this first step, define the scope and goals, as well as decide which testing methods will be used. Gather intelligence, such as network or domain names, and provide it to the pentester.

2. Scanning

Understand how the target application responds to various intrusion attempts. This is done by leveraging static analysis (inspecting code to estimate the way it behaves while running) and dynamic analysis (inspecting code in a running state).

3. Gaining access

Use application attacks like cross-site scripting, SQL injection, and backdoors to uncover your network or server’s vulnerabilities and exploit them. Strategies include escalating privileges, stealing data, intercepting traffic, and more to see the damage they can cause.

4. Maintaining access

Once the tester identifies a vulnerability and exploits it within the target system, the tester validates the ability to move within the system persistently. This indicates that a malicious actor could gain in-depth access to exploit additional weaknesses. The actor may move within the system to exploit or identify additional opportunities to gather information or attack. 

5. Analysis & configuration 

At the final step of the penetration testing, compile a report and showcase the data gathered. The report should include specific exploited vulnerabilities, the accessed, sensitive data, and the amount of time the tester remained in the system undetected.

From here, it is the job of security professionals within your organization to move forward with new security features and solutions to resolve these issues to protect against future attacks.

The bottom line

With cyber hacking techniques getting more advanced, it’s imperative that your organization conducts regular pentests. You’ll also need to conduct a pentest to stay compliant with frameworks like SOC 2 or ISO 27001. We recommend engaging penetration testers anytime your business introduces a new product line or potential vulnerability to the ecosystem. 

With Thoropass’s all-in-one approach to compliance, all your penetration testing services are included in one subscription price.

Share this post with your network: