5.5 Audits & assessments
📘CompTIA Security+ (SY0-701)
What is Penetration Testing?
Penetration testing (pen testing) is a controlled and authorized simulation of a cyberattack on an organization’s systems, networks, or applications.
The goal is to find security weaknesses before real attackers do.
Think of it as a “friendly hack” done by professionals (often called ethical hackers or penetration testers) to test the security posture of an organization.
The results help improve defenses and ensure compliance with security standards and regulations.
Types of Penetration Testing
Penetration testing can take many forms depending on what is being tested and how it is approached.
1. Physical Penetration Testing
- This test focuses on physical security controls — not just digital ones.
- The goal is to find weaknesses in buildings, facilities, or equipment that could allow an attacker to gain unauthorized physical access to sensitive areas or systems.
In IT environments, this can include:
- Testing if unauthorized individuals can enter server rooms.
- Checking if security badges or locks can be bypassed.
- Assessing if workstations or network ports are left exposed.
Purpose: To ensure that physical protections like locks, access controls, and surveillance systems effectively prevent intruders.
2. Offensive Penetration Testing
- This type focuses on actively attacking systems to exploit vulnerabilities.
- It is aggressive and proactive, simulating the actions of real-world attackers.
Example IT scenario:
- Attempting to exploit a misconfigured web application.
- Using tools to bypass authentication mechanisms.
- Exploiting a known software vulnerability to gain administrator access.
Purpose: To identify exploitable weaknesses and test how effective existing defenses are against real attacks.
3. Defensive Penetration Testing
- This approach emphasizes the defender’s point of view — testing how well systems and teams detect and respond to attacks.
- Often combined with Blue Team activities (defensive security teams).
Example IT scenario:
- Running an attack simulation to see if the Security Operations Center (SOC) detects the activity.
- Testing how quickly incident response teams react to simulated intrusions.
Purpose: To strengthen monitoring systems, detection tools, and response procedures.
4. Integrated Penetration Testing
- This combines offensive and defensive testing to form a complete picture of the organization’s security readiness.
- Often referred to as “Purple Teaming” — where the offensive (Red Team) and defensive (Blue Team) work together.
Example IT scenario:
- The Red Team launches simulated phishing or intrusion attacks.
- The Blue Team monitors and responds.
- Both teams analyze results to improve detection, response, and prevention strategies.
Purpose: To enhance overall cybersecurity posture by encouraging collaboration and knowledge-sharing between teams.
Penetration Testing Environments
The amount of information provided to the tester defines the type of test environment:
1. Known Environment (White Box Testing)
- The tester has full knowledge of the systems, network diagrams, source code, credentials, and infrastructure.
- This allows a deep and detailed analysis of security controls.
Example IT scenario:
The tester is given admin credentials and system configurations to identify vulnerabilities faster.
Purpose: To evaluate security from an insider’s perspective and find internal weaknesses.
2. Partially Known Environment (Gray Box Testing)
- The tester has limited information, such as user-level credentials or basic network details.
- Simulates an attacker who has gained partial access or limited insider knowledge.
Example IT scenario:
The tester may know only the domain name and one user account.
Purpose: To balance realism and depth — this test reveals both internal and external weaknesses.
3. Unknown Environment (Black Box Testing)
- The tester has no prior knowledge of the target systems or networks.
- Simulates a real-world external attack, where the attacker gathers information from scratch.
Example IT scenario:
The tester only knows the organization’s website URL and starts with reconnaissance.
Purpose: To test the organization’s perimeter defenses and see what an outsider can exploit.
Reconnaissance (Information Gathering)
Reconnaissance is the first phase of penetration testing.
It involves collecting information about the target before launching attacks.
There are two main types: Passive and Active reconnaissance.
1. Passive Reconnaissance
- Involves gathering information without directly interacting with the target systems.
- The goal is to remain undetected.
IT examples:
- Searching public records, websites, or social media for information.
- Using WHOIS, DNS, or public databases to find IP addresses and domain details.
- Reading job postings or leaked documents for hints about technologies used.
Purpose: To identify potential attack surfaces safely and quietly.
2. Active Reconnaissance
- Involves direct interaction with the target system to collect detailed information.
- This phase is more intrusive and can be detected by network monitoring tools.
IT examples:
- Using tools like Nmap to scan ports and discover running services.
- Sending probes to test firewall configurations.
- Mapping the network to identify vulnerable devices.
Purpose: To gain a deeper understanding of the target’s structure and possible entry points.
Key Phases of a Penetration Test
Although not specifically asked in this subtopic, understanding the typical workflow helps with exam readiness:
- Planning and Scoping – Define objectives, permissions, and rules of engagement.
- Reconnaissance – Gather target information (passive and active).
- Exploitation – Attempt to exploit identified vulnerabilities.
- Post-Exploitation – Determine what access or data can be gained.
- Reporting – Document findings, risks, and recommendations for remediation.
Why Penetration Testing Matters (for the Exam)
Penetration testing helps organizations:
- Identify and fix vulnerabilities before attackers exploit them.
- Test the effectiveness of security policies, configurations, and controls.
- Validate compliance with regulations (e.g., PCI DSS, ISO 27001).
- Improve incident detection and response capabilities.
- Build stronger collaboration between security and IT teams.
Exam Tip:
When you see exam questions about penetration testing, focus on:
- Understanding the goal of each test type (physical, offensive, defensive, integrated).
- Knowing the difference between known, partially known, and unknown environments.
- Recognizing passive vs active reconnaissance activities.
- Remembering that pen tests are authorized and controlled activities, unlike malicious hacking.
✅ In Summary:
| Type | Focus | Purpose |
|---|---|---|
| Physical | Tests buildings, hardware, and access controls | Ensure physical protection of IT assets |
| Offensive | Actively attack systems | Find exploitable weaknesses |
| Defensive | Test monitoring and response | Improve detection and incident response |
| Integrated | Combine offense and defense | Strengthen overall security posture |
| Known (White Box) | Full system knowledge | Test internal weaknesses |
| Partially Known (Gray Box) | Limited knowledge | Balance realism and depth |
| Unknown (Black Box) | No prior info | Test external defenses |
| Passive Reconnaissance | Indirect info gathering | Stay undetected |
| Active Reconnaissance | Direct probing | Identify detailed weaknesses |
