What is the difference between black-box and gray-box penetration testing?

Black-box penetration testing gives testers no prior knowledge of the target, simulating an external attacker with only publicly available information. Gray-box testing provides partial information — such as network diagrams or user credentials — simulating an attacker who has gained limited initial access. Gray-box is more efficient for compliance purposes; black-box provides more realistic external attack simulation.

What types of penetration testing do most compliance frameworks require?

PCI-DSS v4.0 Requirement 11.4 requires external and internal network penetration testing annually. HIPAA Security Rule technical evaluations are commonly satisfied by network and application penetration testing. CMMC 2.0 requires testing aligned to NIST SP 800-171 assessment objectives. Most frameworks accept gray-box methodology.

When should an organization choose OT/ICS penetration testing?

OT and ICS penetration testing is appropriate for manufacturers, utilities, and any organization where cyber compromise can affect physical processes. It follows NIST SP 800-82 guidance and focuses on the IT/OT boundary and industrial protocol security, using methodology designed to avoid disrupting production systems during testing.

Is a red team operation the same as a penetration test?

No. A penetration test maximizes vulnerability discovery within a defined scope. A red team operation simulates a full adversary campaign to test an organization's detection and response capability — the security operations team is typically unaware of the operation. Red team engagements are appropriate for organizations with mature security programs that have already addressed most basic penetration test findings.

SENTRY — Penetration Testing

Types of Penetration Testing: Choosing the Right Engagement for Your Risk Profile

Penetration testing is not a single service — it is a category of security assessments with distinct methodologies, scopes, and objectives. Understanding the types of penetration testing available helps regulated organizations select the engagement that matches their compliance requirements, threat model, and security program maturity.

Start the 90-Day Proof
Talk to an Expert

The Three Knowledge-Level Frameworks

Every penetration test operates within one of three knowledge-level frameworks that define how much information testers have about the target environment before the engagement begins. The choice between these frameworks affects the realism of the simulation, the efficiency of the engagement, and what the findings tell you about your defensive posture.

Black-Box Penetration Testing

In a black-box engagement, testers begin with no prior knowledge of the target environment — just the information an external attacker would have access to through open-source intelligence, public records, and active reconnaissance. This format most accurately simulates what an opportunistic external attacker experiences when targeting your organization.
Black-box testing is appropriate when organizations want to evaluate how their perimeter defenses perform against an attacker with no insider knowledge. It tends to be less efficient than gray-box testing for compliance purposes because testers spend significant time in reconnaissance that could be directed at deeper testing with some baseline information. For organizations with mature perimeter controls wanting to validate them under realistic conditions, black-box is the right choice.

Gray-Box Penetration Testing

Gray-box testing provides testers with partial information — typically network diagrams, application documentation, user-level credentials, or IP ranges — while withholding administrative access and internal architecture details. This format simulates an attacker who has gained some initial foothold (through phishing, credential theft, or insider access) and is now moving laterally.
Gray-box is the most common format for compliance-driven penetration testing because it allows testers to allocate more hours to finding and demonstrating exploitable paths rather than reconnaissance. Most compliance frameworks, including PCI-DSS Requirement 11.4 and CMMC-aligned testing, accept gray-box methodology as appropriate for satisfying testing requirements. See penetration testing for CMMC for how this applies to defense contractor compliance.

White-Box Penetration Testing

White-box testing gives testers full access to source code, architecture documentation, system configurations, and administrative credentials. This format is not designed to simulate an external attacker — it is designed to find every vulnerability that exists in a system with maximum efficiency. White-box testing is most appropriate for application security reviews before major releases, code audits, and configuration reviews where completeness matters more than realistic simulation.

Penetration Testing by Target Environment

Beyond knowledge level, penetration tests are categorized by the environment or asset type they target. Each category requires different expertise, tools, and methodology.

Network Penetration Testing

Network penetration testing assesses the security of network infrastructure — firewalls, routers, switches, VPNs, wireless access points, and the services exposed through them. External network testing focuses on internet-facing systems. Internal testing simulates an attacker who has already breached the perimeter and evaluates lateral movement opportunities, Active Directory weaknesses, and segmentation failures. Network penetration testing is the baseline engagement for most compliance programs.

Web Application Penetration Testing

Application-layer testing targets vulnerabilities specific to web applications and APIs — injection flaws, authentication weaknesses, authorization failures, business logic errors, and cryptographic issues. This testing follows the OWASP Testing Guide and requires testers who understand application architecture, not just network protocol exploitation. Web application penetration testing is required for any organization with internet-facing applications handling sensitive data.

Mobile Application Penetration Testing

Mobile testing addresses iOS and Android applications, evaluating client-side storage, inter-process communication, API communication security, and authentication mechanisms. The OWASP Mobile Security Testing Guide provides the methodology framework. Organizations with patient portals, financial applications, or field operations apps on mobile platforms should include mobile testing in their assessment program.

Cloud Penetration Testing

Cloud penetration testing assesses security controls in AWS, Azure, Google Cloud, and multi-cloud environments. This includes IAM policy misconfigurations, storage bucket exposure, serverless function vulnerabilities, container security, and cloud-native service misuse. Cloud testing requires platform-specific expertise and understanding of shared responsibility model boundaries.

OT and ICS Penetration Testing

Operational technology and industrial control system testing requires specialized methodology to avoid disrupting production systems while validating real attack paths. Testing follows NIST SP 800-82 guidance and focuses on the IT/OT boundary, engineering workstation security, historian systems, and protocol-level vulnerabilities in SCADA and DCS environments. OT and ICS penetration testing is the appropriate service for manufacturers, utilities, and any organization where cyber compromise can affect physical processes.

Social Engineering and Phishing Assessments

Social engineering testing evaluates the human element of security — whether employees can recognize and report phishing attempts, vishing calls, and physical access attempts. These assessments are increasingly required by compliance frameworks and are essential context for understanding why technical controls alone are insufficient.

Choosing the Right Engagement Type

Situation	Recommended Engagement Type	Knowledge Level
First penetration test; compliance baseline	External + Internal Network	Gray-box
Annual PCI-DSS Requirement 11.4	External + Internal Network + Application	Gray-box
CMMC 2.0 pre-assessment	Network + CMMC-scoped environment	Gray-box
New customer-facing web application	Web Application	Gray-box or White-box
Manufacturing / industrial environment	OT / ICS	Gray-box with safety constraints
Mature security program; test detection capability	Red Team Operation	Black-box
Pre-release application security review	Web Application or Code Review	White-box

The red team vs. pen test comparison covers the distinction between full red team operations and scoped penetration testing in more detail, including the program maturity indicators that suggest when each is appropriate.

How Penetration Testing Types Connect to Continuous Security

Point-in-time penetration testing tells you where your environment was vulnerable on the day of the engagement. For regulated organizations, that finding set needs a continuous monitoring layer to remain operationally relevant. Armorstack’s managed detection and response capability monitors for exploitation attempts against the same attack vectors identified during testing and validates that remediated controls are functioning as expected.
For governance questions about which testing types belong in your security program and how findings should inform risk decisions, Armorstack’s VERITY risk advisory practice provides the strategic layer that connects testing methodology to security program investment decisions.
To scope the right engagement type for your environment and compliance obligations, speak with the SENTRY team or review the full penetration testing services overview.