6.5.2. Penetration Testing

💡 First Principle: Penetration testing validates security by simulating real attacks. Unlike vulnerability scanning (which finds known weaknesses), penetration testing exploits vulnerabilities, chains them together, and demonstrates actual business impact.

Testing types by knowledge level:

• Known-environment (white box) — testers have full knowledge of the target (architecture, source code, credentials). Most thorough but least realistic of attacker perspective.
• Unknown-environment (black box) — testers have no prior knowledge, simulating an external attacker. Most realistic but may miss vulnerabilities due to time constraints.
• Partially known (gray box) — testers have some information (user-level credentials, network diagrams). Balances thoroughness with realism.

Offensive vs. defensive teams:

• Red team — offensive team simulating attackers, using real-world TTPs (tactics, techniques, procedures) to test defenses.
• Blue team — defensive team detecting and responding to the red team's activities. Tests SOC effectiveness.
• Purple team — collaborative approach where red and blue teams share information during the exercise to maximize learning. Red team shows how they bypassed controls; blue team adjusts defenses in real time.

Physical penetration testing — testing physical security controls: tailgating into buildings, attempting badge cloning, testing access control vestibules, social engineering reception staff.

Rules of engagement — formal agreement defining the scope, boundaries, timing, and legal authorization for penetration testing. Critical for ensuring testing stays within approved limits and doesn't damage production systems.

Reconnaissance precedes active testing: passive reconnaissance gathers publicly available information (OSINT — domain records, social media, job postings revealing technology stack) without touching the target. Active reconnaissance directly probes the target (port scans, service enumeration). The testing methodology typically follows: reconnaissance → scanning → gaining access → maintaining access → covering tracks → reporting.

Bug bounty programs offer financial rewards to external researchers who discover and responsibly report vulnerabilities. Unlike formal pen tests (scoped, time-limited, contracted), bug bounties provide continuous testing from diverse perspectives. Many organizations run both: formal pen tests for compliance, bug bounties for ongoing discovery.

⚠️ Exam Trap: Black box = unknown environment (tester knows nothing). White box = known environment (tester knows everything). CompTIA uses "known/unknown environment" rather than "white/black box" in SY0-701 — recognize both terminologies. Purple team = collaborative, not adversarial.