There are different types of penetration testing, but the below ones are types of penetration testing based on the tested medium
Focuses specifically on identifying vulnerabilities in web applications, such as SQL injection, cross-site scripting (XSS), and other web-specific vulnerabilities.
Focuses on assessing a group of endpoints (devices such as computers, laptops, workstations, etc.) and servers within a network to identify vulnerabilities in individual devices and servers that could be exploited by attackers to compromise the overall network security.
Concentrates on assessing the security of mobile applications, including both Android and iOS platforms.
Evaluates the security of wireless networks, including Wi-Fi, to identify vulnerabilities that could be exploited by unauthorized users.
API penetration testing involves assessing the security of Application Programming Interfaces (APIs), which are sets of rules that allow different software applications to communicate and share data
It involves assessing the security of applications that run on the client-side (end-user device) and have a significant portion of their functionality executed locally. Unlike thin clients, which rely heavily on server-side processing, thick clients perform a substantial amount of processing on the user’s machine.
Assesses the physical security of a facility, including access controls, surveillance systems, and other measures to prevent unauthorized physical access.
Simulating attacks that exploit human vulnerabilities to gather information or gain unauthorized access.
ICS (Industrial Control Systems) penetration testing involves evaluating the security of critical infrastructure components used in industrial settings such as programmable logic controllers (PLCs), human-machine interfaces (HMIs), SCADA software, and other devices used to control and monitor industrial processes.
Red teaming is not a penetration testing! I put it here, because people confuse between red teaming and pentesting and to let you know that we do red teaming assessments too.
Red teaming is a cybersecurity practice that involves simulating real-world cyberattacks on an organization’s systems, networks, and processes. The objective is to assess the effectiveness of security defenses, detect vulnerabilities, and identify weaknesses in the overall security posture. Red teaming goes beyond traditional penetration testing by adopting a holistic and adversarial approach, often simulating the tactics, techniques, and procedures (TTPs) of sophisticated attackers.
There are different methodologies based on different standards and the tested media such as OWASP, NIST SP 800-15, OSSTMM, etc. However, below is a general penetration testing methodology
