Organizations face unique security challenges based on industry, technology stack, and threat profile. Penetration testing isn't one-size-fits-all. Seven distinct testing types target different attack surfaces, from network infrastructure to mobile applications, each revealing specific vulnerabilities attackers could exploit.
This guide compares penetration testing types, including methodologies, typical costs, timelines, and use cases. Learn which tests your organization needs based on compliance requirements, infrastructure, and risk tolerance.
Overview of Penetration Testing Types
Penetration tests categorize by target system and testing methodology:
By Target System:
- Network Penetration Testing: Internal and external network infrastructure
- Web Application Testing: Web applications and APIs
- Wireless Testing: WiFi networks and wireless protocols
- Physical Testing: Physical security controls and social engineering
- Cloud Security Testing: Cloud infrastructure (AWS, Azure, GCP)
- Mobile Application Testing: iOS and Android applications
- IoT/OT Testing: Internet of Things and operational technology
By Testing Approach:
- Black Box: No prior knowledge (external attacker perspective)
- White Box: Full knowledge (comprehensive security review)
- Grey Box: Partial knowledge (insider threat simulation)
1. Network Penetration Testing
Network penetration testing assesses infrastructure security identifying vulnerabilities in routers, switches, firewalls, servers, and workstations. Tests execute from two perspectives:
External Network Testing
Simulates internet-based attacks against publicly accessible assets:
- Perimeter firewall testing
- VPN security assessment
- Remote access services (RDP, SSH, VNC)
- Mail servers and DNS infrastructure
- Public-facing servers and applications
- DDoS susceptibility testing
Common Findings:
- Unpatched systems with known vulnerabilities
- Weak or default credentials on network devices
- Unnecessary services exposed to internet
- Misconfigured firewalls allowing unauthorized access
- SSL/TLS configuration weaknesses
Internal Network Testing
Assesses security from perspective of malicious insider or attacker who breached perimeter:
- Lateral movement opportunities
- Privilege escalation paths
- Active Directory exploitation
- Network segmentation effectiveness
- Sensitive data exposure on file shares
- Domain controller compromise attempts
Use Cases:
- Annual security assessments
- Pre-deployment testing for new infrastructure
- Post-breach validation
- PCI DSS compliance (quarterly external, annual internal)
- Network architecture validation
Typical Cost: $5,000-$25,000 depending on network size
Duration: 5-10 business days
2. Web Application Penetration Testing
Web application security testing identifies vulnerabilities in web-based applications, focusing on OWASP Top 10 risks and business logic flaws.
Testing Methodology
Testers analyze:
- Authentication: Login bypass, brute force protection, session management
- Authorization: Privilege escalation, insecure direct object references
- Input Validation: SQL injection, cross-site scripting (XSS), command injection
- Business Logic: Payment bypass, workflow manipulation, race conditions
- Encryption: Transport security, sensitive data exposure
- Configuration: Server hardening, error handling, security headers
OWASP Top 10 Focus Areas
Professional web app testing prioritizes OWASP Top 10 vulnerabilities:
- Broken Access Control: Users accessing unauthorized functionality
- Cryptographic Failures: Sensitive data transmitted or stored insecurely
- Injection: SQL, NoSQL, OS command, and LDAP injection
- Insecure Design: Missing security controls in design phase
- Security Misconfiguration: Default settings, verbose errors, unused features
- Vulnerable Components: Outdated libraries with known vulnerabilities
- Authentication Failures: Weak passwords, broken session management
- Software Integrity Failures: Unsigned code, insecure updates
- Logging Failures: Insufficient logging preventing breach detection
- SSRF: Server-side request forgery enabling internal system access
API Security Testing
Modern applications rely heavily on APIs requiring specialized testing:
- Authentication and authorization testing (OAuth, JWT)
- Rate limiting and DOS protection
- Input validation and injection testing
- Business logic abuse
- Data exposure through API responses
Use Cases:
- Pre-launch application security validation
- Annual security assessments
- Post-major release testing
- Third-party application security verification
- PCI DSS compliance for payment processing applications
Typical Cost: $8,000-$35,000 depending on application complexity
Duration: 7-14 business days
3. Wireless Network Testing
Wireless penetration testing assesses WiFi security identifying vulnerabilities in encryption, authentication, and network access controls.
Testing Scope
- Encryption Analysis: WEP cracking, WPA/WPA2/WPA3 attacks, weak passphrases
- Authentication Testing: RADIUS server security, certificate validation
- Rogue Access Point Detection: Identifying unauthorized WiFi networks
- Client Attacks: Evil twin attacks, WiFi phishing
- Bluetooth Security: Device pairing, data exposure
- Guest Network Segmentation: Isolation from corporate resources
Common Vulnerabilities
- WPA2-PSK with weak passwords vulnerable to brute force
- WPS enabled allowing PIN attacks
- Unencrypted guest networks
- Insufficient network segmentation
- 802.1X misconfiguration allowing unauthorized access
- Bluetooth devices with default PINs
Use Cases:
- Office wireless network validation
- Retail and hospitality guest WiFi security
- Healthcare wireless infrastructure (medical device connectivity)
- Warehouse and manufacturing facility testing
Typical Cost: $4,000-$12,000
Duration: 2-5 business days
4. Physical Penetration Testing
Physical testing evaluates physical security controls and social engineering defenses, simulating unauthorized facility access attempts.
Testing Components
Physical Access Testing:
- Tailgating and piggybacking attempts
- Badge cloning and unauthorized access
- Lock picking and door bypass
- Security camera blind spots
- After-hours access attempts
- Dumpster diving for sensitive information
Social Engineering:
- Phishing campaigns testing email security awareness
- Vishing (voice phishing) targeting help desk and employees
- Pretexting scenarios gaining trust for information disclosure
- USB drop testing (malware-laden USB drives left on premises)
- Impersonation (delivery person, maintenance, contractors)
Real-World Scenario Examples
Physical penetration tests reveal surprising weaknesses:
- Security guards allowing access without proper verification
- Employees holding doors open for friendly-seeming strangers
- Sensitive documents left unsecured in common areas
- Workstations unlocked with access to critical systems
- Server rooms accessible without authentication
Use Cases:
- High-security facility validation
- Data center security assessment
- Corporate headquarters security review
- Financial institution compliance testing
- Healthcare facility HIPAA security validation
Typical Cost: $10,000-$40,000 depending on complexity and locations
Duration: 5-15 business days
5. Cloud Security Testing
Cloud penetration testing assesses security of cloud infrastructure, applications, and configurations across AWS, Azure, Google Cloud Platform, and multi-cloud environments.
Cloud-Specific Testing
Infrastructure Testing:
- IAM policy review (overly permissive roles)
- Storage bucket security (public S3 buckets, exposed Azure blobs)
- Network security group configuration
- Serverless function security (Lambda, Azure Functions)
- Container security (Docker, Kubernetes misconfigurations)
- API gateway security
Common Cloud Vulnerabilities:
- Publicly accessible storage with sensitive data
- Over-privileged IAM roles violating least privilege
- Missing encryption for data at rest and in transit
- Insecure API endpoints
- Unpatched cloud instances
- Exposed management interfaces
- Weak authentication (no MFA, long-lived credentials)
Compliance Considerations
Cloud testing addresses compliance requirements:
- HIPAA: Healthcare data protection in cloud environments
- PCI DSS: Cardholder data security in cloud infrastructure
- SOC 2: Cloud service provider security controls
- FedRAMP: Federal cloud security requirements
Use Cases:
- Pre-production cloud deployment validation
- Cloud migration security assessment
- Multi-cloud security posture review
- DevSecOps pipeline integration testing
- Compliance-driven cloud security validation
Typical Cost: $12,000-$50,000 depending on cloud complexity
Duration: 7-20 business days
6. Mobile Application Testing
Mobile app penetration testing identifies security flaws in iOS and Android applications, including client-side vulnerabilities, insecure data storage, and weak server communication.
Testing Scope
Client-Side Testing:
- Reverse engineering and code analysis
- Local data storage security (databases, files, keychain)
- Hardcoded secrets (API keys, encryption keys)
- Insecure cryptography implementation
- Jailbreak/root detection bypass
- Binary protection (obfuscation, anti-tampering)
Network Communication:
- Certificate pinning validation
- API authentication and authorization
- Data transmission encryption
- Session management
- Man-in-the-middle attack susceptibility
Platform-Specific Testing:
- iOS: Keychain security, inter-app communication, push notification security
- Android: Intent handling, content provider security, permission model abuse
OWASP Mobile Top 10
Professional mobile testing addresses OWASP Mobile risks:
- Improper Platform Usage
- Insecure Data Storage
- Insecure Communication
- Insecure Authentication
- Insufficient Cryptography
- Insecure Authorization
- Client Code Quality
- Code Tampering
- Reverse Engineering
- Extraneous Functionality
Use Cases:
- Pre-launch security validation
- Financial services apps (banking, fintech)
- Healthcare apps handling PHI
- E-commerce applications
- Gaming applications with in-app purchases
Typical Cost: $10,000-$30,000 per platform
Duration: 7-14 business days
7. IoT and OT Security Testing
Internet of Things (IoT) and Operational Technology (OT) testing assesses security of connected devices, industrial control systems, and SCADA environments.
Testing Focus
IoT Device Security:
- Default credentials and weak authentication
- Firmware analysis and reverse engineering
- Insecure network protocols
- Physical interface security (JTAG, UART)
- Update mechanisms and signed firmware
- Device-to-cloud communication security
OT/SCADA Testing:
- Industrial protocol security (Modbus, DNP3)
- HMI (Human-Machine Interface) vulnerabilities
- PLC (Programmable Logic Controller) security
- Network segmentation between IT and OT
- Legacy system vulnerabilities
- Safety system integrity
Use Cases:
- Manufacturing facility security
- Energy sector (power generation, oil & gas)
- Smart building systems
- Healthcare medical devices
- Transportation systems
Typical Cost: $15,000-$60,000 depending on environment complexity
Duration: 10-20 business days
Not Sure Which Test You Need?
subrosa security experts help you choose the right penetration testing approach based on your industry, compliance requirements, and risk profile.
Get Expert GuidanceTesting Approach: Black Box vs White Box vs Grey Box
Beyond target systems, testing methodology impacts scope and findings:
Black Box Testing
Testers receive no internal knowledge, simulating external attacker with no privileged information:
Advantages:
- Real-world attacker perspective
- Identifies externally exploitable vulnerabilities
- Tests security-through-obscurity assumptions
- Validates perimeter defenses
Disadvantages:
- May miss complex internal vulnerabilities
- Time-consuming reconnaissance phase
- Limited coverage compared to white box
White Box Testing
Complete knowledge provided including source code, architecture diagrams, credentials, and documentation:
Advantages:
- Comprehensive security review
- Identifies complex logic flaws
- Efficient time usage (no blind reconnaissance)
- Thorough code-level vulnerability detection
Disadvantages:
- Less realistic attacker simulation
- May not validate detection capabilities
- Requires sharing sensitive information with testers
Grey Box Testing
Partial knowledge simulating insider threat or compromised user account:
Advantages:
- Balances efficiency with realism
- Focuses on high-value attack paths
- Simulates common breach scenarios
- Tests internal security controls
Use Case Guidance:
- Black Box: External threat assessment, perimeter testing
- White Box: Pre-deployment security validation, comprehensive audit
- Grey Box: Insider threat simulation, post-breach movement testing
Compliance-Driven Testing Requirements
Regulatory frameworks mandate specific penetration testing:
PCI DSS (Payment Card Industry):
- Annual network penetration test (internal and external)
- Testing after significant infrastructure changes
- Segmentation testing validating cardholder data isolation
- Web application testing if processing payments
HIPAA (Healthcare):
- Risk assessments should include technical safeguard validation
- Network and application testing recommended annually
- Testing must address ePHI protection
SOC 2:
- Penetration testing expected as security control
- Annual testing minimum for most trust service criteria
- Remediation validation required
FFIEC (Financial Services):
- Penetration testing for internet-facing applications
- Frequency based on risk assessment
- Testing by independent third parties
Organizations requiring compliance assistance should ensure penetration tests meet auditor expectations and regulatory requirements.
Compliance-Driven Penetration Testing
subrosa provides penetration testing meeting PCI DSS, HIPAA, SOC 2, and FFIEC requirements with audit-ready reporting.
Explore Compliance ServicesChoosing the Right Penetration Test
Select testing types based on:
Industry-Specific Guidance:
- Financial Services: Network (external/internal) + web application + API + physical. PCI DSS required annually.
- Healthcare: Network + web application + wireless + IoT (medical devices). HIPAA risk assessment driven.
- Retail/E-commerce: Web application + API + network + PCI DSS segmentation. Quarterly if processing payments.
- SaaS Providers: Web application + API + cloud infrastructure. SOC 2 compliance driven.
- Manufacturing: Network + IoT/OT + wireless. Focus on OT network segmentation.
- Technology Companies: Web app + mobile + API + cloud. Pre-launch and annual testing.
Budget Prioritization:
If budget constrains comprehensive testing, prioritize:
- First Priority: External network testing (validates perimeter security)
- Second Priority: Web application testing (for organizations with web apps or APIs)
- Third Priority: Internal network testing (validates insider threat and lateral movement defenses)
- Fourth Priority: Specialized testing (wireless, physical, mobile, cloud) based on specific risk profile
Cost Comparison Summary
| Testing Type | Typical Cost Range | Duration | Best For |
|---|---|---|---|
| Network (External) | $5,000-$15,000 | 3-5 days | All organizations |
| Network (Internal) | $8,000-$20,000 | 5-7 days | Large networks, PCI DSS |
| Web Application | $8,000-$35,000 | 7-14 days | SaaS, e-commerce, finance |
| Wireless | $4,000-$12,000 | 2-5 days | Offices, retail, healthcare |
| Physical + Social Engineering | $10,000-$40,000 | 5-15 days | High-security facilities |
| Cloud Infrastructure | $12,000-$50,000 | 7-20 days | Cloud-native businesses |
| Mobile Application | $10,000-$30,000 | 7-14 days | Consumer apps, fintech |
| IoT/OT | $15,000-$60,000 | 10-20 days | Manufacturing, energy |
Note: Costs vary based on scope size, complexity, compliance requirements, and geographic location. Pricing includes testing, reporting, and remediation consultation.
Frequency Recommendations
Testing frequency depends on risk tolerance and change rate:
- Annual Testing: Minimum baseline for most organizations, compliance requirements (PCI DSS, SOC 2)
- Semi-Annual Testing: High-risk organizations, frequently changing environments
- Quarterly Testing: Financial services, critical infrastructure, very high-risk profiles
- After Major Changes: Infrastructure upgrades, application releases, architecture changes
- Post-Incident: Following security breaches to validate remediation
Organizations mature security programs supplement periodic penetration tests with continuous vulnerability management, bug bounty programs, and automated security testing.
Red Team vs Penetration Testing
Organizations sometimes confuse penetration testing with red team exercises:
Penetration Testing:
- Identifies as many vulnerabilities as possible
- Known timeframe and scope
- Detailed documentation of all findings
- Tests specific systems or applications
- Typically 1-4 weeks
Red Team Exercises:
- Simulates advanced persistent threat (APT)
- Unknown to most staff (tests detection and response)
- Goal-oriented (access specific data, achieve domain admin)
- Tests entire security program including people and processes
- Typically 4-12 weeks
Most organizations benefit from penetration testing. Red team exercises suit organizations with mature security operations seeking to validate detection and response capabilities.
Choosing a Testing Provider
When selecting penetration testing services:
- Certifications: OSCP, GPEN, CEH, GWAPT, GCPN, GXPN for testers
- Methodology: Adherence to PTES, OWASP, NIST SP 800-115 standards
- Industry Experience: Healthcare, finance, retail, etc.
- Tool Stack: Commercial tools + open source + custom scripts
- Report Quality: Request sample reports evaluating technical detail and actionability
- Remediation Support: Ongoing consultation answering fix questions
- Insurance: Professional liability coverage protecting client interests
- References: Client testimonials and case studies
Maximizing Testing Value
Organizations maximize penetration testing ROI by:
- Clear Scoping: Define objectives, constraints, success criteria upfront
- Stakeholder Coordination: Involve IT, security, development, and business teams
- Environment Preparation: Ensure test environments stable, documented, accessible
- Prioritized Remediation: Address critical findings within recommended timeframes
- Retesting: Validate fixes are effective before closing findings
- Knowledge Transfer: Use findings training development and operations teams
- Continuous Improvement: Compare results across tests tracking security posture improvement
subrosa provides comprehensive penetration testing services across all testing types including network infrastructure, web applications, wireless, physical security, cloud environments, mobile applications, and IoT/OT systems. Our OSCP and GPEN certified testers follow industry-standard methodologies ensuring thorough coverage, actionable findings, and effective remediation support. We customize testing approaches based on industry, compliance requirements, and risk profile, helping organizations build robust security programs.