Skip to content

Types of Penetration Testing: A Complete Guide

The main types of penetration testing by target (web, API, mobile, network, cloud, hardware, social) and by method (black, white, and grey box), and how to choose.

Invadel TeamDecember 30, 20243 min read

“Penetration testing” is an umbrella term. Under it sit a dozen distinct engagements, each targeting a different part of your attack surface with a different method. Choosing the right type, or combination, is the difference between a test that reflects your real risk and one that misses it. Here is the complete map.

Types by target

What you point the test at:

Most organizations start with whatever holds their most sensitive data or faces the most exposure, then broaden coverage over time.

Types by method

How much the tester knows going in:

  • Black box , no prior knowledge or access. The tester approaches like an external attacker with nothing but your public footprint. Realistic, but slower and may miss deeper issues within the time budget.
  • White box , full access to source, architecture, and credentials. The most thorough, since the tester can examine everything. Best for high-stakes systems where completeness matters most.
  • Grey box , somewhere between: some credentials and context, but not full internals. Usually the best value, it mirrors a realistic attacker who has gained a foothold or is a malicious user, while using time efficiently.

For most engagements, grey box gives the strongest results per dollar.

A few terms worth clarifying, because they often get grouped with “types”:

  • Penetration testing vs vulnerability scanning , scanning is automated and broad; penetration testing is manual and proves impact. Different activities, not different “types.”
  • Red teaming , a goal-based, stealthy adversary simulation, broader and more realistic than a standard penetration test.

How to choose

Match the type to your risk:

  1. What holds your most sensitive data? Test that first (often a web app, API, or cloud environment).
  2. What is your compliance driver? SOC 2, PCI, and HIPAA often dictate specific scope.
  3. What is your biggest exposure? Internet-facing systems, a new product, a recent acquisition.
  4. What method fits? Grey box for most; white box for critical systems; black box when realism is the point.

Not sure which combination reflects your risk? That is exactly what a scoping call is for. Scope your assessment and we will recommend the right type and method, and send back a fixed-scope proposal.

Written by

Invadel Team

Senior penetration testers writing from real engagements — the same team that scopes, tests, and reports for our clients. About Invadel →

Find out what an attacker sees.

Tell us what to test and see your fixed price.

Prefer the full scoping questionnaire?
Start the conversation