The 3 Key Types of Pen Testing: Which is Right For Your Organisation?

Pen Testing has been a staple of cybersecurity programs for decades.

For much of that time, organisations had only one type of Pen Test engagement to choose from—the traditional Penetration Test. Today, the options have expanded considerably, providing a broader range of testing capabilities but simultaneously introducing plenty of confusion.

This article will examine the three most popular types of Pen Test engagement,  explain their differences and provide some insights to help you choose the ideal Pen Test offering for your organisation.

What is Pen Testing?

Penetration Testing—also known as Pen Testing—is a category of cyber security functions that aims to uncover vulnerabilities in an IT environment before a hacker can exploit them. Until around ten years ago, all Pen Testing engagements were completed by teams of human security experts. However, today there are more options, which we’ll explore shortly.

Unlike protective controls such as a firewall, which aim to prevent malicious activities, Pen Tests are a form of offensive security. They preemptively employ hackers’ tools and techniques to uncover weaknesses in an environment or asset before a malicious hacker can exploit it.

Most Pen Tests have a specific scope since testing “everything” in a single engagement is generally not feasible or desirable. Some of the most popular targets for Pen Testing include:

• Networks (local, cloud or hybrid)
• Wireless networks
• Web applications
• Websites

Why Pen Test?

There are many reasons for implementing regular Pen Tests. Some of the most common include:

• Assess cyber risk. Pen Tests help organisations uncover unknown sources of cyber risk before a hacker can exploit them.
• Fulfil compliance obligations. Many legal and compliance frameworks, including PCI-DSS, require organisations to complete annual penetration tests of specific assets.
• Identify unknown vulnerabilities in products or architecture, particularly those that cannot be found using automated vulnerability or application security scanners.
• Prepare for M&A. Most M&A agreements now include cyber security requirements, typically requiring organisations to submit to penetration tests.
• Mitigate supply chain risk or meet stakeholder requirements. Customers, suppliers, and partners increasingly demand organisations prove their cyber security readiness by scheduling regular Pen Tests and publishing the results.
• Protect business continuity and system uptime. Cyberattacks frequently lead to significant and costly interruptions to business operations. Pen Tests help protect business continuity and system uptime by proactively identifying weaknesses.
• Protect customer data or commercial secrets. Today, data is often among an organisation’s most critical assets and a common target for hackers. Pen Tests usually uncover weaknesses that may allow attackers to collect and extract data from an organisation’s network, website, or Internet-facing assets.
• Avoid negative publicity. Organisations that are the subject of successful cyberattacks inevitably face negative publicity, even if the attack is quickly contained. This can have implications for ongoing business, particularly if an attack threatens the assets or business continuity of partners, customers, or suppliers.

Traditional Pen Testing

A traditional Pen Test is a time-bound engagement from a security services provider like CyberOne. A team of qualified,  experienced Pen Testers delivers it over a defined period—often 1-2 weeks—but there is no firm rule on engagement length.

Most traditional Pen Test engagements have an overarching mission—for example, meeting annual compliance objectives or preparing for an event such as a product launch or M&A. However, some organisations prefer to schedule regular traditional Penetration Tests as a continuous addition to their cyber risk reduction program.

A typical Penetration Test engagement will follow a clear project plan. At CyberOne, our engagements use the following testing methodology:

1. Scoping. Working with the customer to define which assets and infrastructure fall within the scope of the engagement.
2. Reconnaissance. Gathering publicly available information about the customer may help the testing team identify weaknesses.
3. Mapping. Assessing target assets to build a complete picture of their attack surface.
4. Vulnerability analysis. Scanning and manually investigating in-scope assets to identify security vulnerabilities.
5. Service exploitation. Exploiting vulnerabilities to access systems and data.
6. Pivoting. Reusing successful exploits to target further systems and assets.
7. Clean up. Removing testing data from the customer’s systems.
8. Reporting and debriefing. Providing an in-depth Pen Test report with clear recommendations and guidance for remediation. This can be delivered as a written report or via a virtual or face-to-face meeting.

A recent upgrade to traditional Pen Tests has been the addition of ‘Pen Test platforms,’ which allow customers to schedule Pen Tests more easily, see the status of ongoing engagements, request more information about reported vulnerabilities, request retests following patching, etc. Crowdsourced Pen Testing providers initially introduced this feature, and it is rapidly becoming an industry standard due to the improvement it provides to customer experience.

Automated Pen Testing

An automated Pen Test is exactly what it sounds like—an automated solution that attempts to replicate the processes of a traditional Pen Test without requiring human intervention.

Note the word attempts. In reality, no automated tool can completely replace the need for human penetration testers. If it could, traditional Pen Tests would already be obsolete—and they notably aren’t. Some weaknesses require human perseverance and creativity to uncover—the type of perseverance and creativity that a malicious hacker would employ.

However, today’s automated Pen Test solutions are extremely powerful. They can provide continuous security validation of critical systems and assets in a way that would be prohibitively expensive to deliver manually. Similarly, many security weaknesses are more suited to machine testing, as they are too time-consuming to uncover in a 1-2 week human testing engagement.

Automated Pen Test solutions are NOT the same as vulnerability scanners. In addition to uncovering known vulnerabilities, an automated Pen Test solution provides additional capabilities such as:

• Security control validation
• No-harm exploitation of discovered weaknesses
• Complete attack surface coverage
• Risk-based remediation guidance

Automated Pen Testing isn’t a complete replacement for traditional Pen Testing. Organisations often employ automated Pen Testing solutions to continuously assess cyber risk and uncover vulnerabilities introduced during normal business operations, reserving traditional Pen Tests for more focused testing of specific assets.

At CyberOne, we work with Pentera to provide our clients with automated Pen Testing solutions.

Crowdsourced Pen Testing

Crowdsourced Pen Tests are a completely different approach to security testing that has become prominent over the last decade. Instead of working with a set team of Pen Testers provided by a security services provider, crowdsourced testing enables organisations to engage with a global community of ethical hackers and security experts.

This approach gives organisations access to an unprecedented range of security testing expertise, helping to uncover high-risk vulnerabilities by mimicking the behaviours of real malicious hackers.

In almost all cases, organisations don’t attempt to organise crowdsourced testing in-house. Instead, they work through a crowdsourced testing provider, which typically delivers a platform where organisations can invite freelance hackers and security experts to test their assets.

Broadly, there are two ways to engage with crowdsourced testing:

1. Specific, time-bound engagements that mimic traditional Pen Tests
2. Continuous testing engagements that allow testers to submit vulnerabilities at any time.

While it is possible to engage directly with crowdsourced testers and manage the entire process in-house, crowdsourced testing providers usually manage the engagement process and the delivery of specific testing engagements. This allows organisations to reap the benefits of crowdsourced testing while retaining important elements of traditional Pen Tests, such as:

• Vetted and risk-scored vulnerability reports.
• Low internal effort requirements to manage the testing process
• Remediation guidance for reported vulnerabilities

At CyberOne, we work with Synack to provide our clients with crowdsourced Pen Testing solutions.

Which is Right For Your Organisation?

There is no “best” form of Pen Testing. Each option described above is equally strong, and your choice of engagement type should be defined based on your specific needs.

Compliance requirements are typically prioritised for small organisations with few resources,  which usually mandates using traditional Pen Tests. At the other end of the scale, many organisations use a combination of Pen Test engagements to meet varied cyber security needs.

For example:

• Traditional Pen Tests to meet compliance objectives.
• Automated Pen Testing for continuous security validation of their networks.
• Crowdsourced Pen Testing for specific, high-risk or business-critical applications.

This approach is highly effective for controlling cyber risk but naturally requires a higher resource investment than a more traditional program.

If you’re not sure which engagement—or combination of engagements—is right for your organisation’s needs, we can help. Contact one of our experts today to discuss your Pen Testing options.