Types of Penetration Testing: Which One Does Your Organization Need?
A clear breakdown of the main types of penetration testing—web app, network, API, cloud, mobile, and more—so you can buy the right test for your stack.
The types of penetration testing you need to know before you buy
Not all pentests are the same. A web application test and a network test are completely different engagements, different methodologies, different tools, different findings, different price points.
That sounds obvious, but you'd be surprised how many security leaders request "a pentest" without specifying what they actually want tested. The result? Scoping calls that drag on, proposals that price things you didn't mean to include, and occasionally, tests that miss the attack surface that actually matters for their business.
This guide cuts through the confusion. Here are the main types of penetration testing, what each one covers, and how to figure out which is right for your organization.
Web application penetration testing
This is the most common type, and for good reason. If your company has a SaaS product, a customer portal, an admin dashboard, or any web-based interface that handles user data, web app penetration testing is usually where you start.
A web application pentest examines everything from authentication and session management to business logic flaws, injection vulnerabilities, and access control issues. A good tester doesn't just run a scanner, they manually probe the application's unique logic, looking for things automated tools will miss.
Common findings include broken authentication, insecure direct object references (IDOR), SQL injection, cross-site scripting (XSS), and privilege escalation. According to recent testing data, around 85% of findings across all pentest types are exploitable over the network, and web apps are the primary surface area.
When to prioritize it: You're a SaaS company, you handle user data, you're preparing for SOC 2 or enterprise sales, or you've recently shipped major new features. Also: if you haven't tested your web app since it launched, start here.
API penetration testing
APIs are the connective tissue of modern software, and one of the most consistently underprotected attack surfaces. API penetration testing focuses specifically on your application programming interfaces: REST APIs, GraphQL endpoints, internal microservices, and third-party integrations.
The problem with APIs isn't just that they handle sensitive data. It's that they're often built quickly, documented inconsistently, and rarely audited with the same scrutiny as the front-end application. The OWASP API Security Top 10 documents the most common failures, things like Broken Object Level Authorization (BOLA), excessive data exposure, and lack of rate limiting.
A web app test will cover some API surface area, but if your product is API-heavy or you expose APIs to partners and third parties, you need dedicated API testing.
When to prioritize it: You have public or partner-facing APIs, your product is backend-heavy or microservices-based, or your web app test scope doesn't explicitly include your API layer.
53% of network-exploitable vulnerabilities require no authentication to exploit. Many of those live in unprotected or misconfigured API endpoints.
Network penetration testing
Network pentesting comes in two flavors, and they test very different things.
External network penetration testing
An external network pentest simulates what an attacker sees from the internet. The tester starts with no internal access and probes your perimeter: open ports, exposed services, VPN gateways, firewall rule gaps, outdated software on internet-facing infrastructure. The goal is to find paths from "outside your organization" to "inside your systems."
External tests are often required for compliance frameworks. They're also a good baseline check for any company that hasn't mapped what it's exposing to the internet, which is more than most teams think.
Internal network penetration testing
An internal network pentest starts from inside your network, simulating either a malicious insider or an attacker who's already gotten past your perimeter. Testers look at lateral movement paths, privilege escalation opportunities, Active Directory weaknesses, unpatched internal services, and whether someone with limited access could reach your crown jewels.
Internal tests often produce the scariest findings. Most companies focus heavily on perimeter defense but leave the internal network relatively flat. If an attacker gets in, they can often move freely.
External attacks surface vulnerabilities almost twice as often as internal network findings, but when an internal test uncovers a path to your database or domain controller, that's the finding that keeps security leaders up at night.
When to prioritize external: Regular cadence, compliance requirements, any significant infrastructure changes. When to prioritize internal: You haven't done one before, you've had a breach or near-miss, or you're validating your detection and segmentation controls.
Cloud penetration testing
Cloud infrastructure has its own distinct attack surface. Cloud penetration testing examines your AWS, Azure, GCP, or multi-cloud environment for misconfigurations, over-privileged IAM roles, exposed storage, insecure serverless functions, and weaknesses in how your cloud environment is segmented.
A typical enterprise pentest only covers around 20% of the actual application portfolio. For companies running significant workloads in the cloud, that gap usually includes cloud infrastructure.
Common findings in cloud pentests: S3 buckets or Azure Blob Storage containers left publicly accessible, IAM roles with far more permissions than they need, EC2 instances with open security groups, secrets hardcoded in Lambda functions, and missing logging configurations.
Cloud pentesting requires testers with specific cloud expertise, it's not just network testing with a different backdrop. The attack paths are genuinely different. Make sure whoever you hire has worked with the specific platform you're running on.
Cloud penetration testing is projected to grow at a 16.6% CAGR through 2031, faster than any other pentest category, reflecting how much critical infrastructure has moved to the cloud.
When to prioritize it: You run significant workloads on AWS, Azure, or GCP. You've never audited your cloud environment. Your engineering team moves fast and provisions infrastructure regularly. You're preparing for SOC 2 or ISO 27001 and cloud misconfiguration is in scope.
For more on how cloud testing intersects with compliance requirements, see our penetration testing compliance guide.
Mobile application penetration testing
Mobile app penetration testing covers both the client-side application (iOS and Android) and the server-side APIs it communicates with. Testers reverse-engineer the app binary, inspect local data storage, analyze network traffic, test for certificate pinning bypasses, and evaluate how the app handles authentication and session tokens.
Mobile pentesting is more specialized than web app testing and typically costs more. But if your product has a mobile app that handles sensitive data, health information, financial data, authentication credentials, it deserves dedicated attention. A tester focused purely on your web app won't catch issues specific to the mobile client.
When to prioritize it: You have a customer-facing mobile app, especially in healthcare, fintech, or any regulated sector. You're shipping significant new mobile features. You've done web app testing but never specifically tested the mobile surface.
Social engineering testing
Social engineering testing evaluates the human side of your security posture, specifically, how susceptible your employees are to phishing, vishing (voice phishing), and pretexting attacks.
Phishing simulations send realistic fake emails to employees and measure click rates, credential submission rates, and whether suspicious emails are reported to the security team. More advanced engagements layer in phone-based pretexting, physical access attempts, or USB drop tests.
Social engineering tests aren't just about embarrassing your staff. The findings reveal training gaps, reporting process failures, and technical controls (email filtering, MFA enforcement) that aren't working as intended.
When to prioritize it: You've had a phishing-related incident or near-miss. You're required to demonstrate security awareness training efficacy for compliance. You want a full-picture view of your attack surface that includes the human layer.
Black box, gray box, and white box, the methodology layer
These terms often get confused with pentest types, but they're actually describing the information the tester starts with, not what's being tested.
| Approach | What the tester knows | Best for |
|---|---|---|
| Black box | Nothing, simulates an external attacker with no prior access | Realistic external simulation |
| Gray box | Credentials, partial architecture info, simulates an insider or authenticated user | Most web app and API tests |
| White box | Full source code, architecture docs, credentials, simulates a thorough internal audit | Finding the maximum number of vulnerabilities |
Most web application and API pentests use a gray box approach: testers get valid user accounts and API credentials, which lets them test authenticated functionality without burning all their time on reconnaissance.
Pure black box tests sound realistic, but they're often inefficient, testers spend the first third of an engagement doing reconnaissance that you could have handed them in 20 minutes. White box tests find the most vulnerabilities but take longer and cost more.
There's no universally right answer. If you're validating what an external attacker could do, lean black box. If you want to find as many issues as possible in your application, lean gray or white.
How to decide which pentest you need
Here's a practical decision framework based on organization type:
Early-stage SaaS startup (pre-Series A): Start with a web application and API pentest. Add external network if you're preparing for enterprise sales or SOC 2. Cloud testing can follow once your infrastructure is more mature.
Growth-stage SaaS or fintech (Series A–C): Web app, API, and cloud are all in scope. If you haven't done an internal network test, now is the time. Consider adding mobile if you have a native app.
Enterprise or heavily regulated organization: Annual external network test, regular web app testing, cloud assessment, and periodic internal network testing. Social engineering testing is often required for compliance and worth running annually.
Preparing for SOC 2 or ISO 27001: Review our penetration testing compliance guide for what each framework actually requires. Most auditors expect at minimum an external network and web application test.
First pentest ever: Gray box web application test is usually the highest-value starting point. It'll surface the most actionable findings for the budget, and you can build from there.
If you're not sure what to scope, a good pentest firm will help you figure it out. That said, come in with a sense of what your highest-risk surface areas are, that context helps them scope accurately. See our guide on questions to ask before hiring a pentest firm for how to evaluate whether a vendor can actually help you scope properly.
For budget considerations across all these test types, the penetration testing cost guide breaks down typical price ranges by engagement type.
Not sure what your biggest attack surface actually is? Book a free consultation with our team and we'll walk you through what a pentest engagement looks like for your specific stack.
Frequently Asked Questions
What is the most common type of penetration testing?
Web application penetration testing is the most commonly requested type, particularly among SaaS companies and organizations preparing for SOC 2 certification. Most companies have more web app attack surface than any other category, and web app findings tend to be directly actionable for development teams.
Do I need to do all types of penetration testing?
No. Start with what's most relevant to your stack and your risk profile. A company with no mobile app doesn't need a mobile pentest. A company running exclusively in the cloud with no on-premises infrastructure probably doesn't need a traditional internal network test. Scope to your actual attack surface.
How is API penetration testing different from web application testing?
Web app testing covers the browser-based interface and often includes some API coverage. Dedicated API testing goes deeper, testing all API endpoints systematically, including those not exposed through the UI, and checking for API-specific vulnerabilities like BOLA, broken function-level authorization, and mass assignment issues.
What's the difference between a penetration test and a vulnerability scan?
A vulnerability scan runs automated tools to identify known weaknesses. A penetration test takes that further — a human tester attempts to actually exploit vulnerabilities, chain findings together, and demonstrate real-world impact. Scans produce long lists; pentests produce evidence of what's actually exploitable.
How often should I do each type of penetration test?
As a baseline: annual testing for each relevant type. More frequent testing (quarterly or continuous) is appropriate for high-change environments, regulated industries, or organizations with mature security programs. Most compliance frameworks specify annual minimums.
Want to secure your company?
Book a free 20-minute consultation with our security team.
Book your free call