Penetration Test Types and Rules of Engagement
Key Takeaways
- Penetration testing validates exploitable risk under authorized conditions.
- Black-box, gray-box, and white-box tests differ by how much information testers receive.
- Rules of engagement define scope, timing, allowed techniques, safety limits, contacts, and reporting expectations.
- A test without written authorization can create legal, operational, and safety risk.
- Penetration test results should include business impact, evidence, risk rating, and remediation guidance.
Penetration Test Types and Rules of Engagement
A penetration test is an authorized attempt to identify and validate exploitable weaknesses. It differs from a vulnerability scan because a pen test may chain findings, attempt exploitation, test detection, and demonstrate business impact. The goal is controlled proof, not uncontrolled disruption.
Test Types
| Type | Tester knowledge | Use case |
|---|---|---|
| Black-box | Little or no internal knowledge | Simulate an outside attacker with limited information |
| Gray-box | Some knowledge, such as a standard user account or architecture summary | Test realistic risk with limited internal context |
| White-box | Full knowledge, source code, diagrams, credentials, or configuration detail | Deep assessment of a system with maximum coverage |
| Internal test | Starts from inside the network or with internal access | Validate lateral movement and segmentation |
| External test | Targets internet-facing assets | Validate exposed services and perimeter controls |
| Web application test | Focuses on application logic and data handling | Test authentication, authorization, input handling, and session security |
| Wireless test | Focuses on wireless networks | Test encryption, rogue access points, and segmentation |
Rules of Engagement
Rules of engagement, or ROE, set the boundaries for the test. They protect the organization, testers, customers, and production systems.
Common ROE elements include:
- Written authorization and approving authority.
- In-scope and out-of-scope systems.
- Testing dates, time windows, and blackout periods.
- Allowed and prohibited techniques.
- Social engineering permissions or restrictions.
- Phishing target rules if phishing is included.
- Data handling requirements.
- Safety limits for denial-of-service, destructive actions, and persistence.
- Emergency contacts and stop-test procedures.
- Logging, evidence, report format, and remediation meeting expectations.
Scenario
A regional bank hires a penetration testing firm to assess its online loan portal. The ROE states that the test may include authentication testing, authorization testing, input validation, session management, and controlled exploitation in a staging environment. Production testing is limited to non-destructive validation during a weekend window. Denial-of-service testing, customer account modification, and persistence mechanisms are prohibited. The testers must call the security operations bridge before starting each testing window.
During testing, the team finds that an authenticated user can change a numeric account parameter and view another applicant's uploaded income document. The report includes the affected endpoint, proof using test accounts, business impact, reproduction steps, log timestamps, and remediation guidance to enforce object-level authorization.
Reporting
A useful penetration test report usually includes:
- Executive summary.
- Scope and methodology.
- Finding severity and business impact.
- Technical evidence and reproduction steps.
- Exploitation chain where relevant.
- Affected assets.
- Remediation recommendations.
- Retest results after fixes.
Common Traps
- Running tests without written authorization.
- Testing production destructive actions without approval.
- Confusing vulnerability scanning with penetration testing.
- Reporting only technical jargon without business impact.
- Omitting data handling rules for captured credentials or files.
- Letting the test scope expand informally during the engagement.
A tester is given source code, architecture diagrams, test accounts, and configuration details. What type of test is this?
Which item is most important before any penetration testing begins?
Which details belong in rules of engagement? Select three.
Select all that apply