Skip to the content

Types of Penetration Test - What is the Difference?

Vulnerability Assessment

Vulnerability Assessments are most often used by organisations when they want to identify the vulnerabilities present in their infrastructure and to get a high-level overview of their security posture. It involves an external approach and is fully automated.

Vulnerability Assessments are useful for companies who do not have visibility or understanding of their security posture. A vulnerability assessment can often be used as the first stage of a larger penetration testing project.

For organisations with legacy infrastructure, it is a quick, cost-effective way to identify and focus on software versions and systems that can be fixed easily.


Penetration Testing

A Penetration Test aims to exploit the vulnerabilities of an organisation's cybersecurity arrangements before a malicious party does. It uses a combination of automatic and manual techniques to identify issues within the infrastructure, systems and operations.


External Penetration Test

An external penetration test replicates a real-life attack, searching for vulnerabilities that can be exploited by a hacker. This type of analysis aims to target everything Internet-facing. The penetration tester will focus on identifying network vulnerabilities. This can include issues with network services and hosts, devices, web, mail and FTP servers.

Objective Examples: Obtaining internal access to the network


Internal Penetration Test

An internal penetration test aims to identify and exploit internal vulnerabilities. Vulnerabilities can range from misconfigurations through to unpatched software and social engineering. The approach would be similar to an external penetration test, and the process followed would be the same.

Often the aim of this test can be unique to each client. A customer's objective could be to gain access to a sensitive file or the domain controller with full admin rights, to elevate privileges or to perform an overall security assessment.

This type of test is only possible with access to the internal network either provided by the customer or gained by dropping a device like a dropbox or Raspberry PI onto any open network port, or by exploiting a compromised system i.e. emails.

Objective Examples: Leveraging internal access to obtain access to important assets on the network

Web Application Penetration Test

The web application pen test aims to find weaknesses in applications programmed in-house or out of the box solutions, as well as ill-coded websites.

Web Apps are often vulnerable to many types of attacks that are often possible through the exploitation of misconfigurations in server builds or through bad coding practices. Vulnerabilities are often identified within functions where user input is received, like website search, address fields, file uploads, where SQL queries can be passed to gain access to back end databases. If either of those functionalists are not appropriately secured an attacker could exploit them to upload a malicious document that can create a back door giving a user unauthorised access to the underlying server it is running on.

Due to the world wide web being publicly exposed many websites and online stores come under constant attack. Identifying these vulnerabilities before anyone else can allows remediation actions to take place to secure the web app.

Examples: Brute-force attack, Error handling, SQL Injection and XSS

Social Engineering

Manipulating people into leaking sensitive information and providing an external malicious agent with unwarranted access to a network or a building is considered social engineering. It exploits the gaps in cybersecurity education in organisations and employs psychological persuasion.

The penetration tester will research different aspects of the company and its people, refer to social media and current events, to gain the trust of the host and blend in with the organisation. However, social engineering is not limited to physical infiltration, but can also involve the use of email, social media and calls.

Performing such a test can reveal the gaps in cybersecurity awareness of the organisation's people and stress the importance of employee training.

Examples: Phishing campaigns, Traditional scamming techniques as authority figure impersonation

Red Team Engagement

Red team engagement is the more advanced version of a penetration test appropriate for companies with mature, well-established security arrangements. Compared to a penetration test, they tend to take longer and often require multiple testers. The main objective is not to find and exploit all vulnerabilities, but instead, it is a targeted attack with a single objective aiming to be completely unnoticeable. Such tests are performed in scenarios where there is an immediate Blue team (Response Team) to stop a Red team (Attackers) in their tracks.


Black-Box Testing

In black-box testing, a tester doesn't have any information about the internal working of the software system. It is a high-level assessment that focuses on the behaviour of the software. It involves testing from an external or end-user perspective. Black-box testing can be applied to virtually every level of software testing: unit, integration, system, and acceptance.


White-Box Testing

White-box testing is a testing technique which checks the internal functioning of the system. In this method, testing is based on coverage of code statements, branches, paths or conditions. White-box testing is considered as low-level testing. The white-box testing method assumes that the path of the logic in a unit or program is known.

For further information you can email our team or contact us on 0330 107 7860.



Chess is one of the UK’s leading independent and trusted technology service providers, employing 300 skilled people across the UK, supporting over 20,000 organisations.

 By leveraging world-class technology, Chess helps you to connect your people, protect your data, grow your business, reduce your costs and work better together, which means your business, your people and your customers can thrive.

At Chess, we’re passionate about our unique culture and our continuous investment in our people to be industry experts. We’re extremely proud that our people voted us No.1 in ‘The Sunday Times 100 Best Companies to Work for’ list 2018, and we continue to celebrate more than ten years in the top 100.

Speak to a Product Specialist

You can fill out the form and one of our product specialists will contact you shortly with more information.
To contact our Sales team directly, please call 0344 770 6000 and choose option 4.
Customer Service
For general queries or to report a non-urgent fault, please log a ticket on our customer portal using the email address associated with your account. Logging a ticket is quick and easy to do. Once you have logged your ticket, we will respond within 24 hours or your Service Level Agreement, whichever is quicker.
I agree for my information to be used for marketing communications.
Chess Privacy Notice

By submitting your personal information through this form, you consent to your information being processed in accordance with the Chess group privacy notice.