“Penetration testing” is an umbrella term. Under it sit a dozen distinct engagements, each targeting a different part of your attack surface with a different method. Choosing the right type, or combination, is the difference between a test that reflects your real risk and one that misses it. Here is the complete map.
Types by target
What you point the test at:
- Web application penetration testing , the OWASP Top 10, business logic, authentication, and access control in your web apps. The most common engagement.
- API penetration testing , REST, GraphQL, and SOAP endpoints, focusing on authorization and data exposure (the OWASP API Top 10).
- Mobile application penetration testing , iOS and Android apps against the OWASP MASVS: insecure storage, transport, and runtime tampering.
- External network penetration testing , your internet-facing perimeter, finding the first foothold an outside attacker would.
- Internal network penetration testing , simulating an attacker already inside, testing segmentation, Active Directory, and lateral movement.
- Cloud penetration testing , AWS, Azure, and GCP configuration, identity, and cloud-native attack paths.
- Hardware and IoT penetration testing , firmware, debug interfaces, and physical attacks on connected devices.
- Source code review , finding flaws at the source, before they ever run in production.
- Social engineering and phishing , testing the human layer with realistic lures.
- AI/ML penetration testing , prompt injection, jailbreaks, and unsafe tool use in LLM-powered systems.
Most organizations start with whatever holds their most sensitive data or faces the most exposure, then broaden coverage over time.
Types by method
How much the tester knows going in:
- Black box , no prior knowledge or access. The tester approaches like an external attacker with nothing but your public footprint. Realistic, but slower and may miss deeper issues within the time budget.
- White box , full access to source, architecture, and credentials. The most thorough, since the tester can examine everything. Best for high-stakes systems where completeness matters most.
- Grey box , somewhere between: some credentials and context, but not full internals. Usually the best value, it mirrors a realistic attacker who has gained a foothold or is a malicious user, while using time efficiently.
For most engagements, grey box gives the strongest results per dollar.
Related distinctions
A few terms worth clarifying, because they often get grouped with “types”:
- Penetration testing vs vulnerability scanning , scanning is automated and broad; penetration testing is manual and proves impact. Different activities, not different “types.”
- Red teaming , a goal-based, stealthy adversary simulation, broader and more realistic than a standard penetration test.
How to choose
Match the type to your risk:
- What holds your most sensitive data? Test that first (often a web app, API, or cloud environment).
- What is your compliance driver? SOC 2, PCI, and HIPAA often dictate specific scope.
- What is your biggest exposure? Internet-facing systems, a new product, a recent acquisition.
- What method fits? Grey box for most; white box for critical systems; black box when realism is the point.
Not sure which combination reflects your risk? That is exactly what a scoping call is for. Scope your assessment and we will recommend the right type and method, and send back a fixed-scope proposal.
Written by
Invadel Team
Senior penetration testers writing from real engagements — the same team that scopes, tests, and reports for our clients. About Invadel →