FAQ
Pentest vs. VAPT

Penetration testing, or pen testing, is an ethical cyber security assessment designed to discover, analyze, and address vulnerabilities in a company's network or applications. By using the same tactics, techniques, and procedures (TTPs) as cybercriminals, pen tests simulate real attacks against an organization to evaluate the effectiveness of its security controls.

Pen tests can simulate various attack vectors, whether performed externally or internally. The scope and results of each test depend on the organization's specific needs. The type of assessment determines the level of information provided to the penetration tester. In white box testing, the tester has full access to network and system details; in grey box testing, the tester receives limited information; and in black box testing, the tester has no prior knowledge, simulating a real-life attack scenario.

Understanding the different types of cyber security pen tests is crucial before selecting a provider, as engagements differ in focus, depth, and duration. Common types include:

• Internal & External Network Penetration Testing
  Evaluates on-premise and cloud network infrastructure, including firewalls, system hosts, and devices such as routers and switches. Tests can focus on internal assets or external, internet-facing infrastructure.
• Wireless Penetration Testing
  Targets an organization’s WLAN and wireless protocols like Bluetooth, ZigBee, and Z-Wave. Identifies rogue access points and encryption weaknesses.
• Web Application Testing
  Assesses websites and web applications to uncover coding, design, and development flaws. Providers need information on the number of applications, static pages, dynamic pages, and input fields.
• Mobile Application Testing
  Tests mobile applications on operating systems such as Android and iOS for issues like authentication, authorization, data leakage, and session handling. Providers need details on OS types, versions, API calls, and requirements for jailbreaking/root detection.
• Build and Configuration Review
  Reviews network builds and configurations to identify misconfigurations in web and app servers, routers, and firewalls.
• Social Engineering
  Assesses the ability of systems and personnel to detect and respond to email phishing attacks through customized phishing, spear phishing, and Business Email Compromise (BEC) attacks.
• Cloud Penetration Testing
  Custom assessments to uncover vulnerabilities in cloud and hybrid environments, addressing shared responsibility challenges.
• Agile Penetration Testing
  Continuous security assessments throughout the development cycle to ensure each product release is secure.

The amount of information shared before a penetration testing engagement significantly shapes the outcomes.

White Box testing
White Box testing involves full disclosure of network and system details, which saves time and reduces costs while being particularly useful for simulating targeted attacks on specific systems.

Black Box Testing
Black Box testing provides no prior information to the tester, who approaches the assessment like an external, unprivileged attacker; while this method is the most authentic, it is also often the most expensive.

Grey Box Testing
Grey Box testing grants testers limited information—typically login credentials—allowing for a mix of depth and efficiency that effectively simulates either insider threats or external attacks that have already breached the perimeter.

Organizations should conduct security testing at least annually, with additional assessments after significant infrastructure changes or before product launches, mergers, or acquisitions.

Organizations with extensive IT estates or stringent compliance requirements may need more frequent tests. Agile or continuous pen testing integrates regular testing into the software development lifecycle, aligning with product release schedules to ensure new features are secure.