top of page

Types of Penetration Testing

Here are some of the common types of pentesting we perform.

Internet Facing Systems

If it's on the internet, its going to be attacked.

Web Application Penetration Pentesting

Web Applications are often complex, internet facing, hold sensitive data, and bespoke. This combination of factors tends to make them highly vulnerable to cyber attacks. We test these applications from various different privilege levels, attempting to gain access to any data and functionality which should be restricted.

External Infrastructure Pentesting

Apart from your internet facing web site, anything else you have facing the internet needs to be robust enough to stand up to regular cyber attacks.

Phishing Exercises

Email is another system which connects you to the rest of the internet. We recommend that all organisations run phishing exercises. This can be a simple exercise to raise awareness and test how many users are interacting with untrusted senders, to more extensive realistic tests where we try to gather credentials and access your internal systems. These tests can also be used to test how your organisation responds to such incidents.

Internal Threats

Not every attack comes over the internet

Internal Infrastructure Pentest

If an attacker is able to gain access to your internal network, either because they are physically in the building or because they've been able to exploit an issue from the outside the number of systems they can access increases drastically. We will identify systems that can be compromise with internal access, and how initial compromise can be used to leverage access to more systems.

In our experience, it often far to easy for the compromise of one system to result in a domino effect where access can be leverage to get more access. Often this process can be repeated until all machines in the network are compromised.


Your WiFi networks not as secure as the physical ports at your desk. They can be accessed in areas outside your control, much further with use of specialised equipment. 

WiFi access is also often offered for guests and staff personal devices, usually by the equipment. WiFi testing includes testing the boundaries between these networks to make sure there no way into sensitive systems from these low security networks.

Stolen Laptop Assessment

Laptops will get lost and stolen. Most organisations use disk encryption like Windows BitLocker to protect against this, but in the most common configurations a skill attacker with the right tools can usually bypass this and still gain access to the laptop. If your potential threats include hackavists, motivated cyber criminals, and nation states you should consider this form of testing.

Read more on our Stolen Laptop Assessment service page.

Device Testing

Testing ATMs, IoT, Entry Systems 

ATM Assessments

One of our areas of Expertise is ATM security assessments, ATMs are devices where the physical security is often limited and attackers are highly motivated because of the potential payoff. We help companies who manufactures and supply ATM machines make them more resistant to physical and cyber attacks,


Learn more on our ATM Assessment page.

bottom of page