Book FREE Consultation

URM is pleased to provide a FREE 30 minute consultation on Transitioning to ISO 27001:2022 for any UK-based organisation. Once an enquiry form has been submitted, we will be in touch to understand the nature of your enquiry and to book a mutually convenient time for a 30-minute consultation slot with one of URM’s specialists.

What is Penetration Testing? Types of Pen Tests, Methods & Processes

Maintaining cyber security is of vital importance for all organisations; successful cyber attacks can have devastating consequences, including operational disruption, reputational damage, legal and regulatory penalties, and financial losses.  To avoid these consequences, it is essential that you not only implement robust and comprehensive cyber security measures, but also that you test these measures’ efficacy and establish whether any weaknesses exist in your organisation’s IT environment.   Penetration testing is perhaps the most effective means of doing so, enabling you to proactively identify and address vulnerabilities before they can be maliciously exploited.

What is Penetration Testing?

Penetration testing, also known as pen testing, is a form of cyber security test in which a cyber expert conducts a simulated cyber attack on an IT system, network, infrastructure, application, etc., in order to inform improvements to an organisation’s security posture.  

Regular penetration testing can assist with compliance/conformance with particular standards and regulations, including with ISO 27001 or the General Data Protection Regulation (GDPR).  It is even a mandatory requirement for compliance with some standards, such as the Payment Card Industry Data Security Standard (PCI DSS).  Third parties, such as prospective clients, may also request that you perform penetration testing.

Pen Test Definition

A penetration test is a simulated attack of an IT system which has been authorised by the system owner to assess its security posture.  A penetration tester will mimic the approach of a genuine threat actor, using the same processes, tools and techniques to identify and exploit system vulnerabilities, and demonstrate the potential impacts on the organisation if a real attack were to occur.

The Importance of Pen Testing

Performing penetration testing on a regular basis is a fundamental pillar of an effective and comprehensive cyber security strategy.  Ultimately, the best way to understand how your cyber defences could be improved is by experiencing and learning from an attack; a penetration test provides you with the opportunity to extract these learning benefits without the risks and consequences associated with a genuine attack.

Types of Penetration Tests

There are a range of penetration tests types available for your organisation to leverage, depending on its unique needs and concerns.  The type of pen test will be are defined to a large degree by the aspect of your environment being tested (web or mobile applications, cloud environments, infrastructure and networks, etc.), however they can also be defined by the testing approach (business-led pen testing).  

The following are some of the most common types of penetration tests:


A web application penetration test involves an assessment of the architecture, design and configuration of your web applications and application programming interfaces (APIs).  Here, the tester will review each page within the tested website to understand if any vulnerabilities exist, such as coding, design and development weaknesses, and attempt to exploit these.


In a mobile application pen test, the tester will evaluate the security posture of mobile apps that are deployed to either Apple iOS or Android devices.  These tests are conducted to establish whether any vulnerabilities are present that could enable a malicious user to misuse the application, and prevent it from operating as intended.


In a cloud penetration test, the tester will look for vulnerabilities in an environment hosted by a cloud service provider.  This type of testing can cover a range of deployments, including Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP), as well as other cloud deployment models such as individually-managed virtual machines, automated deployments and configuration, cloud services or container solutions.

Network & Infrastructure

Infrastructure penetration testing, also known as network penetration testing, involves a tester identifying and exploiting vulnerabilities in your organisation’s network.  There are two types of network and infrastructure pen tests to consider:

Internal Network

In an internal network pen test, the tester will be provided with initial, legitimate access to your network that they will then attempt to exploit, allowing you to establish the extent to which a malicious employee/user, or a threat actor posing as one, could negatively impact your organisation.

External Network

External network penetration tests, on the other hand, are conducted without any initial access or privileges being provided to the tester, and vulnerabilities are discovered using only external and public-facing assets and information.


Whilst other types of penetration tests are often performed for compliance purposes (i.e., to conform/comply with a standard or regulation, or to meet contractual requirements), URM’s specialised business-led penetration testing is conducted to address any specific issues and risks your organisation faces.  In a business-led pen test, the testing scope is defined by your organisation’s unique concerns rather than external requirements, providing you with much greater flexibility in the focus of the test.

Penetration Testing Services

URM is able to provide penetration testing services against all assets associated with your organisation, location or service.  With our CREST-accreditation to validate the trustworthiness and reliability of our pen testing services, you can engage URM’s highly knowledgeable and practically-skilled team of expert penetration testers to assess any aspect of your organisation’s IT environment.  

Get in touch with our penetration testing experts today to find out more.

CREST LogoPen Test LogoOVS Apps LogoOVS Mobile Logo
Contact Us

The Process of Penetration Testing

URM’s penetration testing is always performed in line with proven, industry recognised methodologies, whilst also evolving alongside the latest cutting-edge techniques. There are 5 key stages to most of our penetration tests:

Stage 1


Before performing the penetration test, the tester will collaborate with you to define an effective and appropriate scope, which meets your needs and goals.

Stage 2

Reconnaissance and information gathering:

Simulating the approach of a malicious actor, URM’s pen testers gathers as much information as possible about your environment.

Stage 3

Vulnerability identification and analysis:

URM’s tester will identify the vulnerabilities that threaten the security of your organisation’s environment and develop an exploitation strategy, both manually and using the latest automated tools.

Stage 4


Drawing on their extensive skills and experience, the tester will attempt to exploit the vulnerabilities they have identified in the previous stage to establish how a genuine threat actor could impact your organisation.

Stage 5

Reporting and debrief:

Following completion of the test, URM’s pen tester will detail their findings in a report and provide a debrief meeting at the end of the assessment to help you navigate the remediation process.

Stage 6


To further assist with the remediation process, URM will provide a free retest within 30 days of the initial assessment of any critical or high-risk vulnerabilities identified.

Contact a Pen Testing Expert Today

URM’s industry-leading penetration testers are committed to delivering high quality, effective penetration testing that enables you to tangibly enhance your security posture.  As a CREST-accredited organisation, you can be assured that any pen testing services you receive from URM are fully aligned with globally recognised best practice.  

Get in touch with our penetration testing experts today to find out more.

CREST LogoPen Test LogoOVS Apps LogoOVS Mobile Logo
Contact Us

Penetration Testing Methods

As well as the different testing types, there are a range of testing methods that can be leveraged. These approaches all come with their own set of benefits attached and will all provide you with valuable outputs that can be used to improve your cyber security measures.

External Testing

External testing establishes the risk to your organisation of an external cyber threat.  The tester will attempt to gain access to your environment by exploiting vulnerabilities they have identified on your organisation’s external assets.

Internal Testing

Internal pen testing evaluates the risk to your organisation of an internal cyber threat.  Here, the tester will start the test with a degree of authorised access (often a low-access user account) that they will then attempt to use to gain further, unauthorised access, and disrupt your environment.

Blind Testing

In a blind penetration test, the tester has no prior knowledge of the system(s) they are targeting.  For example, they may just be sent the organisation’s website URL, and will attempt to discover and exploit vulnerabilities using only this initial information.

Double Blind Testing

Like blind testing, in a double-blind test the tester is not given any information about the system or organisation before the test, however here the organisation’s staff are also unaware that the test is taking place.

Targeted Testing

This penetration testing approach focuses on targeting a particular aspect of the target system, such as a specific application or network, rather than testing a system more broadly or an organisation’s entire IT environment.

Red Team vs Blue Team

In a red team vs blue team pen test, the red team takes on the role of an attacker, attempting to circumvent the organisation’s cyber security defences and compromise their system.  Meanwhile, the blue team defends against the red team’s attack.

What are the Benefits of Penetration Testing?

  • Identifying Vulnerabilities: Pen testing helps to identify vulnerabilities in your systems, networks and applications by simulating attacks.
  • Compliance Requirements: Standards such as the PCI DSS require organisations to undertake regular pen testing to remain compliant.
  • Improve Security Measures: The outputs of a pen test provide valuable insights into the target environment that can be used to eliminate weaknesses and strengthen defences.
  • Enhance Customer Confidence: Demonstrating a commitment to security through regular penetration testing can increase existing or potential clients’ confidence in your ability to protect their sensitive information, thus providing you with a competitive edge in the market.
  • Support Risk Management: Penetration testing provides you with an understanding of your organisation’s security posture and risk exposure. This information is crucial for making informed decisions about risk management and prioritising security investments.

Webinars & Events

URM has gained a reputation as the preeminent UK provider of live webinars, aimed at delivering valuable and practical insights to organisations  looking to improve their information security, risk management, data protection etc. The webinars  are delivered by our senior consultants who share hints and tips on topics such as certifying to ISO 27001 and Cyber Essentials, complying with the GDPR.  All of our webinars are completely free to attend, and include an opportunity to ask questions at the end.

WebinarGetting the Most From Your Pen Testing Programme

URM shares its insights, outlining commonly-seen and emerging vulnerabilities and actions you can be taking today.

Read more
Listen to recording
USB stick, Padlock, Keys
WebinarPenetration Tests: Trends and Emerging Threats

URM shares its real-life experiences of the different types of tests and trends it is seeing in terms of vulnerabilities across the different types.

Read more
Listen to recording
USB stick, Padlock, Keys
WebinarMaximising the Benefits from your Penetration Tests

Attend the Free Webinar and learn how to maximise the benefits and minimise the drawbacks of conducting penetration (pen) tests

Read more
Listen to recording
USB stick, Padlock, Keys

Penetration Testing FAQs

How do I decide what to test?

Ideally, the decision on what systems to test should be based on the relevant threat model and the objectives of the test.  For example, if your organisation is offering a business solution for your clients in the form of a web application hosted on AWS and you need to provide assurance to your clients that your solution is secure, you may consider testing the web application from an application layer, but also the underlying infrastructure exposed to the Internet.  You may also consider performing a configuration review of your AWS environment to obtain assurance that different attack vectors are covered.

What tools are used for penetration testing?

Penetration testing tools vary depending on the type of test being conducted, but some of the most commonly-used tools include port scanners, vulnerability scanners, network sniffers, web proxy servers and specific wireless adapters.

What’s the difference between penetration testing and vulnerability scanning?

Vulnerability scanning is an automated process that identifies potential security vulnerabilities in a system, while penetration testing is a manual process that attempts to exploit the identified vulnerabilities in order to gain access to the system.  Vulnerability scans are an excellent way to identify missing patches, vulnerable system configurations and vulnerabilities that can be found in an automated way.  However, they lack human intelligence, they lack context, can be prone to false positives and may have adverse effects when testing with high privileges.  A penetration test can complement a vulnerability scan by adding the human element.  This allows penetration testers to identify vulnerabilities that require an understanding of the context, to chain together multiple vulnerabilities to obtain a higher impact, perform privilege escalation or lateral movement after exploiting a vulnerability to access more data and systems.  Penetration tests can help assess the business impact that the organisation may suffer in the event that these vulnerabilities were exploited by a malicious attacker.

What is the cost of penetration testing?

The cost of penetration testing can vary according to the scope and complexity of the test.  Generally, the cost of a penetration test can range from a few thousand pounds to tens or hundreds or thousands of pounds.

Read more
Penetration Testing FAQ

Speak to a Penetration Testing Expert

As a CREST-accredited organisation, URM is able to provide reassurances that all the policies, processes and procedures which underpin its cyber security penetration testing have been independently assessed and deemed to be fit for purpose.

Speak to one of our experts for more information on how we can help you. Simply call 0118 206 5410 or request a call back using the form below.

How to Get the Most From Your Penetration Tests

Published on

URM’s blog discusses how to prevent and mitigate the damage done by ransomware attacks, and how penetration testing can help your organisation avoid them.

Read more
Thumbnail of the Blog Illustration
Cyber Security
Published on
The Role of Penetration Testing in Preventing Ransomware Attacks

URM’s blog discusses how to prevent and mitigate the damage done by ransomware attacks, and how penetration testing can help your organisation avoid them.

Read more
Thumbnail of the Blog Illustration
Cyber Security
Published on
What Do You Do After a Security Incident?

URM’s blog discusses the testing, assessments, exercises and reviews you can conduct following a cyber security incident to strengthen your security posture.

Read more
Thumbnail of the Blog Illustration
Cyber Security
Published on
What Role does Penetration Testing Play in Preventing Unauthorised Access?

The consequences of unauthorised access are varied. Apart from financial losses, there is a loss of customer confidence. Can penetration testing prevent this?

Read more
URM were super helpful and knowledgeable, talking and walking me through each one of the tests and providing some useful information on security and how to improve things in the future.