Internal and External Penetration Testing
Sometimes, there’s also a distinction made between internal and external penetration testing. If the previous Black/Grey/White categorizes tests by what the tester knows/can access, the Internal/External one categorizes tests by where the testing originates.
External Penetration Testing simulates an attack originating from outside the organization, specifically targeting internet-facing assets such as web applications, firewalls, and public servers. The primary objective is to uncover vulnerabilities that an external attacker could potentially exploit. Common targets include websites, virtual private networks (VPNs), and cloud resources. These tests encompass a range of scenarios, including misconfigurations, compromised passwords, and outdated software.
Internal Penetration Testing simulates an attacker who has already gained access to the internal network. It focuses on internal security controls, access permissions, and lateral movement capabilities, targeting internal systems, applications, and sensitive data.