Hard2bit
← Back to the cybersecurity blog

What is penetration testing: types, methodology, phases and when it is worth it for a business

By Thilina Manana · COO y Director Técnico de Seguridad hard2bit · Published: 08 July 2026 · Updated: 08 July 2026
What is penetration testing: types, methodology, phases and when it is worth it for a business

A penetration test (pentest) is a controlled, authorised attack against your own systems, run by security professionals to find out what a real attacker could actually do — not in theory, but in practice. Where a scan lists weaknesses, a pentest proves which of them can be chained together to reach something that matters: a database, a domain administrator, a payment flow.

This guide covers what a pentest is and is not, the main types, the methodology behind a serious engagement, when it is worth doing and where it stops being enough.

At a glance

  • The point: prove real, exploitable impact, not just the presence of vulnerabilities.
  • The types: web, external and internal network, Active Directory, API, cloud, Microsoft 365, mobile and wireless — black, grey or white box.
  • The method: scoping, reconnaissance, threat modelling, controlled exploitation, post-exploitation and a report you can act on.
  • The limit: a pentest is a point-in-time snapshot; continuous risk needs vulnerability management and monitoring too.

What a penetration test actually is

A pentest simulates the behaviour of a real adversary within an agreed scope and set of rules. The testers do not just confirm that a flaw exists; they exploit it in a controlled way to demonstrate the consequence — access gained, data reachable, privilege escalated. That evidence is what turns an abstract risk into a decision a board can act on.

What a pentest is not

It is not an automated vulnerability scan, and it is not a security audit. A scan produces a list; an audit reviews posture and controls for breadth; a pentest goes deep on exploitability. Confusing the three is the most common — and most expensive — mistake when buying offensive security.

The most common types of pentest

Engagements are usually scoped by target: web applications, external network perimeter, internal network, Active Directory, APIs, cloud, Microsoft 365, and mobile or wireless. Most organisations start where their exposure and their crown jewels are — typically public web and identity.

Types by level of information: black, grey and white box

Black box means the testers start with no inside knowledge, mimicking an external attacker. White box gives them full information — architecture, credentials, source — for maximum coverage. Grey box sits in between and is the usual pragmatic choice: enough context to be efficient, without hiding the parts a determined attacker would eventually find anyway.

The methodology of a well-run pentest

A serious engagement follows a disciplined sequence: pre-engagement and rules of engagement; reconnaissance and intelligence gathering; threat modelling and attack-surface analysis; vulnerability analysis; controlled exploitation; post-exploitation to validate real impact; and a report that is genuinely useful. Skipping the early and late phases is how tests end up as noise — either scope creep or a wall of findings nobody can prioritise.

Is a pentest mandatory? Regulation and certifications

Several frameworks expect regular testing. PCI DSS requires penetration testing for cardholder environments; DORA pushes financial entities towards threat-led testing; NIS2 expects risk-based technical testing as part of managing risk; and ISO 27001 and Spain's ENS both treat regular testing as evidence of a working control environment. Even where it is not named explicitly, a pentest is often the cleanest way to demonstrate the control.

Pentest, audit, red team and vulnerability management

These are complementary, not interchangeable. An audit measures breadth of posture; a pentest proves depth of exploitability; a red team tests detection and response against a realistic adversary; and vulnerability management keeps risk down between tests. Choosing among them starts with the question you are trying to answer — we compare two of them directly in security audit vs penetration testing.

Common mistakes when buying a pentest

The usual traps: scoping by price instead of by risk, accepting an automated scan dressed up as a pentest, and treating the report as the end rather than the start. A test only pays off if the findings are prioritised and remediated — which is where what vulnerability management includes picks up.

The bottom line

A pentest answers a specific, valuable question: what could a capable attacker actually achieve here, today? Used at the right moments — before a launch, after major change, on a regular cadence for regulated systems — it is one of the highest-signal investments in security. If you want help scoping one, get in touch.

Frequently asked questions

What methodology is used in a professional penetration test?

A serious pentest follows a disciplined sequence: pre-engagement and rules of engagement, reconnaissance, threat modelling and attack-surface analysis, vulnerability analysis, controlled exploitation, post-exploitation to validate real impact, and an actionable report. Recognised references such as OWASP and PTES underpin the approach.

How often should a penetration test be done?

A common baseline is annually and after any significant change — a new application, a major architecture change, or a migration. Regulated environments (for example PCI DSS or DORA-driven testing) may require a set cadence, and higher-risk systems benefit from more frequent testing combined with continuous vulnerability management.

What types of penetration test exist?

Engagements are usually scoped by target: web application, external and internal network, Active Directory, API, cloud, Microsoft 365, and mobile or wireless. Each can be run as black, grey or white box depending on how much information the testers are given.

What is the difference between a pentest and a vulnerability scan?

A scan is automated and produces a list of potential weaknesses. A pentest is a human-led, controlled attack that proves which of those weaknesses can actually be exploited and chained together to reach something that matters.

Is a penetration test mandatory?

It depends on your context. PCI DSS requires it for cardholder environments, DORA drives threat-led testing for financial entities, and NIS2, ISO 27001 and Spain's ENS expect risk-based testing as evidence of a working control environment. Even where not named explicitly, it is often the clearest way to demonstrate the control.

What should a good penetration test report include?

An executive summary with business impact, a prioritised list of findings with clear severity, reproducible technical detail, and concrete remediation guidance. A wall of findings with no prioritisation is a sign of a weak engagement.