Penetration testing
A penetration test ("pen test") is a controlled attempt to break into a system to find vulnerabilities before real attackers do. Conducted by ethical hackers with the owner's permission, it provides a real-world security assessment.
Why pen test?
- Find vulnerabilities that automated scanners miss.
- Test defences in depth — does the firewall stop the attack? Are logs alerted? Are backups usable?
- Compliance with standards (PCI-DSS, ISO 27001).
- Validate fixes — re-test after patching to confirm the issue is closed.
Black-box vs white-box
The two AQA-named approaches differ by how much information the tester has.
Black-box testing
The tester has no inside information — no source code, no architecture diagrams, no credentials. They start from outside, just like a real external attacker.
Pros:
- Realistic — simulates an outsider attack.
- Tests external-facing defences first.
Cons:
- May miss internal vulnerabilities not reachable from outside.
- Time-consuming reconnaissance.
- May fail to discover deep bugs that require code knowledge.
White-box testing
The tester has full information — source code, network diagrams, credentials, architecture documents.
Pros:
- Thorough — every layer can be examined.
- Faster — no time wasted reconnoitring.
- Finds deep code-level issues (logic flaws, race conditions).
Cons:
- Less realistic — real attackers usually don't have source code.
- Can produce a flood of theoretical issues.
- Requires more trust in the tester.
Grey-box (extension)
Hybrid — partial information, e.g. test credentials but no source code. Common in practice.
Process of a pen test
- Scope — decide what's in/out of bounds (don't accidentally break production).
- Reconnaissance — gather information (DNS, exposed services).
- Scanning — automated tools find open ports and known vulnerabilities.
- Exploit — attempt to gain access.
- Post-exploit — see how far you can go (privilege escalation, data exfiltration).
- Report — write findings, severity, recommendations.
- Remediation and retest — system owner fixes; tester re-tests.
Limits of pen testing
- Snapshot in time — system may change tomorrow.
- Limited duration — testers may not find deep issues an attacker has months to find.
- Scope-bound — only tests what's agreed.
- Not a substitute for secure design — finds bugs but won't redesign your security architecture.
- Ethical and legal — only with written permission from the owner.
✦Worked example— Worked example — choose approach
A bank wants to assess its public banking website's security.
- Black-box test simulates external attackers B1.
- Realistic — most threats come from outside B1.
- Pair with a white-box review of the source code to catch deeper logic flaws B1.
- Combination gives broad and deep coverage B1.
⚠Common mistakes— Pitfalls
- Calling all penetration testing illegal. Authorised pen testing is legal and standard.
- Treating pen test as one-and-done. Repeat regularly; threats evolve.
- Confusing pen test with vulnerability scan. Vulnerability scans are automated; pen tests include human creativity and exploitation.
- Skipping the report. The findings are the deliverable — without a clear, actionable report, the test is wasted.
- Believing white-box "is always better". Black-box may catch real-attack-likely findings missed by white-box theorising.
✦Worked example— Worked example — pen-test outcome
A pen tester finds:
- A web form vulnerable to SQL injection (high severity).
- Weak passwords on test accounts (medium).
- An old version of a library with known CVEs (high).
Recommendations: parameterised queries to prevent SQL injection, enforce strong passwords + lockout, update library, retest.
➜Try this— Quick check
For each scenario, choose black-box, white-box or grey-box:
- Test how well a website resists external attack: black-box.
- Code review of a banking app's authentication module: white-box.
- Insider tester who has user credentials but no source: grey-box.
- Compliance assessment by external auditor without source: black-box.
AI-generated · claude-opus-4-7 · v3-deep-computer-science