What is Penetration Testing?

TL;DR — what is penetration testing (pentest)

Penetration testing (pentest) is an authorised, controlled simulation of an attack on IT systems, applications, networks, or processes to identify vulnerabilities before an attacker does. Pentests are performed by certified ethical hackers (OSCP, CRTO, CEH, GPEN, CRTP) using methodologies like OWASP, PTES, NIST SP 800-115, OSSTMM.

• Types in 2026: 8 main — web / API / network / Wi-Fi / cloud / mobile / physical / red team + BAS (Breach Attack Simulation).
• Models: black-box (zero knowledge), grey-box (limited credentials), white-box (full source + access).
• Regulatory drivers: DORA Art. 26 TLPT (Threat-Led Penetration Testing), NIS2 Art. 21, PCI DSS 4.0 Req 11.4, ISO 27001:2022 A.8.8.
• Output: prioritised findings with CVSS scores, PoC exploits, business impact analysis, and remediation roadmap.

Pentest types — comparative table 2026

Pentest type	Scope	Goal	Methodology	Duration	Typical cost (USD)
Web application	Single web app	OWASP Top 10, business logic	OWASP WSTG, PTES	5-15 days	$5-25K
API	REST / GraphQL / gRPC endpoints	OWASP API Top 10 2023, BOLA / BFLA	OWASP API Testing	4-12 days	$4-20K
Network / Infrastructure	LAN / WAN / AD / DMZ	Lateral movement, AD escalation	PTES, NIST 800-115	7-21 days	$8-40K
Wi-Fi	WPA2/3, captive portal, Evil Twin	Rogue AP, deauth, EAPOL	OWASP Wi-Fi Testing	3-7 days	$4-12K
Cloud (AWS / Azure / GCP)	IAM, S3, Lambda, RDS, K8s, OAuth	Misconfig, lateral, escalation	OWASP Cloud Top 10	7-15 days	$6-30K
Mobile (iOS / Android)	App + backend + IPC	OWASP MASVS / MASTG	OWASP MSTG	7-15 days	$6-25K
Physical	Building, server room, badge cloning	Tailgating, lock bypass, USB drop	OSSTMM PHY	2-5 days	$5-15K
Red Team	Full kill chain, multi-vector	TIBER-EU, MITRE ATT&CK	TIBER-EU, CBEST, DORA TLPT	4-12 weeks	$40-250K+

Penetration Testing Definition

Penetration testing, also known as pentesting, is a controlled process of simulating a real attack on an IT system, application, or network infrastructure to detect security vulnerabilities. Security testers, taking on the role of potential attackers, attempt to breach system security while maintaining ethical conduct.

Goals of Penetration Testing

• Identifying vulnerabilities and security gaps
• Evaluating the effectiveness of existing protection mechanisms
• Verifying system resistance to various types of attacks
• Providing a realistic assessment of potential consequences of a successful attack
• Meeting regulatory requirements and industry standards

Types of Penetration Testing

• Black box: Testers have no knowledge about the system
• White box: Testers have full knowledge about the system
• Grey box: Testers have partial knowledge about the system
• External: Testing from an external attacker’s perspective
• Internal: Testing from the perspective of someone with internal network access
• Web application tests: Focused on internet application security
• Network infrastructure tests: Examining network and network device security

Penetration Testing Process Stages

• Planning and reconnaissance
• Scanning and analysis
• Gaining access
• Maintaining access
• Results analysis and reporting

Tools Used in Penetration Testing

• Nmap: Network scanning
• Metasploit: Framework for vulnerability exploitation
• Burp Suite: Web application security testing
• Wireshark: Network traffic analysis
• John the Ripper: Password cracking
• OWASP ZAP: Web application vulnerability scanning

Benefits of Penetration Testing

• Identifying real security threats
• Prioritizing remediation actions
• Meeting regulatory requirements and industry standards
• Increasing security awareness in the organization
• Verifying existing security effectiveness

Challenges in Penetration Testing

• Potential risk of disrupting production system operations
• Need for highly qualified specialists
• Time and budget constraints
• Difficulties in simulating all possible attack scenarios
• Need for regular test repetition due to changing threats

Differences Between Penetration Testing and Other Security Testing Methods

• Penetration testing vs. vulnerability scanning: Penetration testing is more comprehensive and includes attempts to exploit found vulnerabilities
• Penetration testing vs. security audit: Audits focus on evaluating compliance with policies and standards, while penetration testing simulates real attacks
• Penetration testing vs. automated testing: Penetration testing combines automation with manual analysis and creative tester approach

Best Practices in Penetration Testing

• Clearly defining test scope and objectives
• Obtaining appropriate consents and authorizations before starting tests
• Using ethical testing methods
• Thoroughly documenting all actions and findings
• Prioritizing found vulnerabilities and providing practical recommendations
• Regularly conducting tests, especially after significant system changes
• Collaboration between security, development, and operations teams for effective fix implementation

Penetration testing is a key element of a comprehensive security strategy, allowing organizations to proactively detect and eliminate potential threats before they are exploited by real attackers.

A brief history of penetration testing (1965 → 2026)

Penetration testing as a discipline traces back to the seminal 1965 Willis Ware paper at the RAND Corporation, which first articulated the threat model for time-sharing computer systems and recommended “penetration studies” by trusted personnel. The 1970 Anderson Report for the US Air Force formalised the concept and introduced Tiger Teams — small, elite groups tasked with breaking into defence systems to validate security controls.

The 1990s saw pentesting move into the commercial sector with the rise of the public Internet, the birth of L0pht Heavy Industries, and Microsoft’s internal red teams. In 2001, the OWASP Foundation launched, releasing the first OWASP Top 10 in 2003 and standardising web application testing methodology with the OWASP Testing Guide (WSTG). NIST SP 800-115 (“Technical Guide to Information Security Testing and Assessment”) followed in 2008, and the Penetration Testing Execution Standard (PTES) in 2014 provided the first community-driven phase-based methodology.

The 2010s introduced cloud-native pentesting (AWS, Azure, GCP), the MITRE ATT&CK framework (2013), and frameworks like TIBER-EU (2018) and CBEST (Bank of England, 2014) for intelligence-led red teaming of critical financial infrastructure. The 2020s have accelerated the discipline with AI-augmented pentesting (Burp Suite AI Assistant, Microsoft Security Copilot, Nuclei AI templates), continuous pentest platforms (Pentera, Cobalt PtaaS, Synack), and DORA TLPT entering force in January 2025 for EU financial entities. The next frontier — LLM / AI pentesting (OWASP LLM Top 10), Web3 / smart contract auditing, and IoT / OT pentesting aligned with the Purdue model.

Goals of penetration testing — what we actually accomplish

A well-scoped pentest delivers five concrete business outcomes, not just a vulnerability list:

1. Identify exploitable vulnerabilities before attackers do. A scanner reports CVEs; a pentester chains them into a real attack path (e.g. SSRF → cloud metadata → IAM key → cross-account assume-role → data exfil). Only manual exploitation surfaces business-logic flaws (IDOR, race conditions, broken workflows) that automated tools cannot detect.
2. Validate that security controls function as intended under attack. WAF rules trigger, EDR detects shellcode, SIEM correlates events, MFA prevents bypass, DLP blocks exfiltration. A pentest is the only realistic way to verify that the defence-in-depth stack actually works against a determined adversary — not just in the architecture diagram.
3. Meet regulatory and contractual compliance. PCI DSS 4.0 Req 11.4 (annual + after significant change), ISO/IEC 27001:2022 control A.8.8 (technical vulnerability management) and A.8.29 (security testing during development), NIS2 Article 21, DORA Article 26 (TLPT for significant financial entities every 3 years), HIPAA Security Rule 45 CFR §164.308(a)(1), GDPR Article 32(d), SOC 2 CC4.1, PSD2 RTS SCA, NIST CSF 2.0, CMMC 2.0 Level 3, and customer security questionnaires (CAIQ, SIG Lite).
4. Train the blue team and improve detection. Every pentest is a live-fire exercise for the SOC. Purple team engagements explicitly pair red operators with blue defenders in real time, measuring MTTD (mean time to detect) and MTTR (mean time to respond) against MITRE ATT&CK TTPs — see /en/glossary/blue-team/ and /en/glossary/purple-team/.
5. Provide risk-prioritised input for security investment. Findings are scored with CVSS 3.1 / 4.0 plus a business-impact multiplier (data sensitivity, system criticality, exploit complexity). This drives roadmap decisions — patch sequence, compensating controls, architectural changes, additional logging — and gives the CISO defensible data for board reporting.

Pentest models — black-box, grey-box, white-box

The information disclosure model dramatically affects scope, cost, and realism:

• Black-box — the pentest team receives only the target name or URL. No credentials, no source code, no architecture diagrams. This is the most realistic simulation of an external opportunistic attacker, but the most time-consuming (60-70% of effort spent on reconnaissance and discovery). Recommended for high-value targets after the organisation has matured (post-OSCP-level findings).
• Grey-box — the most popular model in 2026 (~70% of pentests). Testers receive limited credentials (standard user account, sometimes admin), basic architecture overview, and API documentation. Balances realism with efficiency — testers can quickly reach authenticated attack surface without burning days on unauthenticated enumeration. Optimal for web app, API, and internal AD engagements.
• White-box (also called crystal-box or full-disclosure) — testers receive complete source code, architecture diagrams, threat models, IAM policies, and admin credentials. Goal is the deepest possible coverage, including secure code review aligned with OWASP ASVS L2/L3. Less realistic as a threat model, but invaluable for pre-launch hardening of critical systems and for satisfying ISO 27001:2022 A.8.29 secure development testing.

Pentest types in detail

Web application penetration testing

Tests against the OWASP Top 10 2021 (Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable Components, Auth Failures, Software & Data Integrity Failures, Logging Failures, SSRF) plus business logic flaws, IDOR, XXE, race conditions, prototype pollution, and HTTP request smuggling. Tools: Burp Suite Pro, OWASP ZAP, sqlmap, wfuzz, ffuf, Caido. Aligned with OWASP WSTG v4.2 and OWASP ASVS levels 1-3. Typical engagement: 5-15 days, $5-25K USD.

API penetration testing

Focuses on OWASP API Security Top 10 2023 — BOLA (Broken Object Level Authorisation), Broken Authentication, BOPLA (Broken Object Property Level Authorisation), Unrestricted Resource Consumption, BFLA (Broken Function Level Authorisation), Server-Side Request Forgery (SSRF), Security Misconfiguration, Lack of Protection from Automated Threats, Improper Inventory Management, and Unsafe Consumption of APIs. Covers REST, GraphQL (introspection abuse, query depth, batch attacks), gRPC, SOAP, JWT misconfiguration (alg=none, weak HS256 secrets, key confusion), and OAuth 2.0 attacks. See deep dive at /en/glossary/api-penetration-testing/.

Network / Infrastructure penetration testing

Split into external (internet-facing — firewall, VPN, RDP, mail relays, exposed services) and internal (LAN — once attacker has foothold via phishing or rogue insider). Internal pentests focus heavily on Active Directory escalation — Kerberoasting, AS-REP roasting, NTLM relay, LLMNR/NBT-NS poisoning (Responder), DCSync, Golden / Silver / Diamond / Sapphire Ticket attacks, ADCS misconfigurations (ESC1-ESC11), and lateral movement mapped with BloodHound, SharpHound, and CrackMapExec. Tools: Nmap, masscan, naabu, Impacket, Mimikatz, Rubeus, Certify.

Wi-Fi penetration testing

Covers WPA2-PSK / WPA3-SAE / WPA2-Enterprise (EAP-TLS, EAP-PEAP), captive portal bypass, Evil Twin / Rogue AP attacks, deauthentication DoS, EAPOL 4-way handshake capture and offline cracking (hashcat -m 22000), PMKID attacks, KARMA, KRACK, Dragonblood. Tools: aircrack-ng suite, hcxdumptool, bettercap, WiFiPineapple. Methodology aligned with OWASP Wi-Fi Testing Guide. Typical: 3-7 days, $4-12K.

Cloud penetration testing (AWS / Azure / GCP)

The fastest-growing pentest category in 2026. Targets IAM misconfigurations (overly permissive policies, role-chaining, confused deputy), S3 / Blob / Cloud Storage public exposure, OAuth phishing and consent grant attacks (Microsoft 365), Lambda / Azure Functions / Cloud Functions privilege escalation, EKS / AKS / GKE breakout (pod escape, service account token abuse), secrets in CI/CD pipelines (GitHub Actions, Azure DevOps, GitLab CI), and cross-account assume-role chains. Tools: ScoutSuite, Pacu (AWS), MicroBurst (Azure), GCPBucketBrute, CloudGoat (training), Prowler, PowerZure, Kubernetes goat, kube-hunter. Aligned with OWASP Cloud Top 10 and MITRE ATT&CK for Cloud.

Mobile penetration testing (iOS / Android)

Tests both the mobile binary (static analysis, decompilation, hardcoded secrets, weak crypto) and runtime (instrumentation, hooking, jailbreak / root detection bypass) plus the backend API consumed by the app. Aligned with OWASP MASVS L1 / L2 + R (Resilience) and OWASP MASTG (Mobile Application Security Testing Guide). Common findings: certificate pinning bypass, insecure deep links, exported components (Android Activities / Services / BroadcastReceivers / ContentProviders), insecure IPC, plaintext SharedPreferences / NSUserDefaults, biometric bypass. Tools: Frida, Objection, MobSF, JADX, Hopper, Ghidra, Burp Suite mobile.

Physical penetration testing

The only pentest category that exits the keyboard. Tests building access controls — tailgating, badge cloning (Proxmark3 for HID Prox / iCLASS, Flipper Zero for 125 kHz cards), lock picking and bypassing (bump keys, under-door tools, LAN turtle drop), server room access, dumpster diving for sensitive documents, on-site social engineering (impersonating delivery / IT / fire inspector), and USB drop campaigns with payload-laden BadUSB / Rubber Ducky devices. Methodology: OSSTMM PHY (Physical Security Testing).

Red team engagement

Multi-vector, multi-week, objective-driven simulation of a real adversary aligned with MITRE ATT&CK TTPs and full Cyber Kill Chain (Reconnaissance → Weaponisation → Delivery → Exploitation → Installation → Command & Control → Actions on Objectives). Tests people, process, and technology simultaneously — including the blue team’s detection and response capabilities. C2 frameworks: Cobalt Strike, Mythic, Sliver, Brute Ratel, Havoc, Empire. Regulatory frameworks: TIBER-EU (ECB, 2018), CBEST (UK Bank of England, 2014), DORA TLPT (EU 2025+), iCAST (Hong Kong), AASE (Saudi Arabia). See /en/glossary/red-team/ for full deep dive. Typical: 4-12 weeks, $40-250K+.

Breach Attack Simulation (BAS)

Continuous, automated adversary emulation that runs 24/7 in production. Complements (does not replace) periodic pentests by providing always-on validation of detection and prevention controls. Leading platforms in 2026: AttackIQ, SafeBreach, Cymulate, Picus Security, Pentera, XM Cyber. BAS maps results directly to MITRE ATT&CK, providing a heatmap of which TTPs the organisation can detect, block, or neither.

Social engineering / phishing simulation tests

Authorised phishing campaigns, vishing (voice phishing), smishing (SMS), and OSINT-driven spear-phishing to measure human risk factor. Platforms: GoPhish, King Phisher, KnowBe4, Proofpoint PSAT, Hoxhunt. Measure click rate, credential submission rate, and incident-reporting rate. See /en/glossary/phishing/ and /en/glossary/spear-phishing/.

Pentest methodology — the 7-phase standard process

Industry consensus combines PTES, OSSTMM, NIST SP 800-115, and OWASP WSTG into a 7-phase process:

1. Pre-engagement — define scope (in-scope hosts / apps / URLs; explicitly out-of-scope items), Rules of Engagement (ROE), Authorisation Letter (“get-out-of-jail card”) signed by an executive with authority, escalation contacts, blackout windows, communication channels (Signal / encrypted email), and reporting cadence.
2. Reconnaissance — passive OSINT (Shodan, Censys, theHarvester, FOFA, ZoomEye, WHOIS, certificate transparency logs crt.sh, Google dorks, LinkedIn, GitHub recon for leaked secrets via trufflehog / gitleaks) and active (DNS enumeration with amass, subfinder, dnsx, assetfinder; ASN mapping with asnmap).
3. Scanning + enumeration — port scanning (Nmap, masscan, naabu, rustscan), service version detection, vulnerability scanning (Nessus, OpenVAS, Nuclei with 8,000+ templates, Greenbone), web spidering and content discovery (Burp Suite Pro, OWASP ZAP, ffuf, gobuster, feroxbuster, katana).
4. Exploitation — manual exploit development, Metasploit Framework, Hydra (credential spraying), SQLMap, Impacket (NTLM relay, secretsdump, smbexec), CrackMapExec / NetExec, BloodHound for AD attack paths, Responder for LLMNR poisoning, evil-winrm, custom exploits compiled from CVE PoCs.
5. Post-exploitation — privilege escalation (LinPEAS, WinPEAS, PowerUp, PEASS-ng), lateral movement (Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, RDP / WinRM / WMI / DCOM pivoting), data access validation (find but do not exfiltrate sensitive PII / PHI / cardholder data — flag and report only), persistence simulation (scheduled tasks, services, Run keys, WMI event subscriptions) only when scope explicitly authorises.
6. Reporting — executive summary (1-2 pages, board-readable, risk in business terms), technical findings with CVSS 3.1 / 4.0 score + business impact multiplier, reproducible PoC screenshots and step-by-step instructions, prioritised remediation roadmap (P0 / P1 / P2 / P3), strategic recommendations (architectural, process, training).
7. Retest — verify remediation, regression-check that fixes did not introduce new vulnerabilities, update CVSS scores, deliver final clean report. Most contracts include 1-2 retests within 30-90 days.

Standards and methodologies — full reference

• OWASP WSTG (Web Security Testing Guide v4.2) — web app
• OWASP MASTG / MASVS — mobile
• OWASP ASVS Level 1 / 2 / 3 — application verification
• OWASP API Security Top 10 2023 — API
• OWASP Cloud Top 10, OWASP IoT Top 10, OWASP LLM Top 10
• PTES (Penetration Testing Execution Standard)
• NIST SP 800-115 — Technical Guide to Information Security Testing
• NIST SP 800-53 Rev 5 controls testing
• OSSTMM v3 (Open Source Security Testing Methodology Manual)
• ISSAF (Information Systems Security Assessment Framework)
• TIBER-EU — ECB threat-led pentest framework
• CBEST — UK Bank of England intelligence-led red team
• DORA TLPT — EU finance Art. 26 (effective Jan 2025)
• MITRE ATT&CK v15+ — TTPs and detection mapping
• Cyber Kill Chain — Lockheed Martin
• MITRE D3FEND — defensive countermeasure framework
• NIST CSF 2.0 — Cybersecurity Framework

Pentest certifications in 2026

The certification landscape signals tester capability and is often a contractual requirement for regulated industries:

• OSCP (Offensive Security Certified Professional) — the hands-on industry standard, 24-hour practical exam
• OSWE (Offensive Security Web Expert), OSEP (Experienced Penetration Tester), OSED (Exploit Developer), OSWP (Wireless Professional), OSEE (Exploitation Expert), OSCE3 (Triple Cert holder)
• CRTO (Certified Red Team Operator) — Zero-Point Security; modern C2 / Cobalt Strike focus
• CRTL (Certified Red Team Lead) — Zero-Point Security advanced
• CRTP / CRTE / CRTM (Certified Red Team Professional / Expert / Master) — Altered Security; Active Directory specialisation
• CEH v13 (Certified Ethical Hacker) — EC-Council; broader but less hands-on
• GPEN, GWAPT, GMOB, GXPN, GCPN, GAWN — SANS GIAC certifications
• CISSP, CISM, CISA — management-level, signal seniority
• PNPT (Practical Network Penetration Tester) — TCM Security; emerging favourite
• CompTIA PenTest+ — vendor-neutral entry / intermediate
• CREST CRT / CCT / CCSAS / CCT-INF / CCT-APP — required for TIBER-EU and DORA TLPT engagements in many EU jurisdictions
• TIBER-EU certified provider — ECB-aligned framework

Compliance and regulatory drivers 2026

• PCI DSS 4.0 Req 11.4 — annual pentest mandatory for cardholder data environments, plus after any significant change. Internal + external scope required.
• ISO / IEC 27001:2022 — control A.8.8 (management of technical vulnerabilities) and A.8.29 (security testing in development and acceptance) explicitly require regular pentesting aligned with risk.
• NIS2 Article 21 (EU Directive 2022/2555) — risk management measures for essential and important entities; in force since October 2024.
• DORA Article 26 + 27 (EU Regulation 2022/2554) — Threat-Led Penetration Testing (TLPT) mandatory every 3 years for significant financial entities; effective January 2025; uses TIBER-EU as the operational framework.
• HIPAA Security Rule — 45 CFR §164.308(a)(1) requires regular security risk analysis for healthcare PHI handlers.
• GDPR Article 32(d) — “regular testing, assessing and evaluating the effectiveness” of technical measures.
• SOC 2 Trust Services Criteria CC4.1 — entity monitors controls; pentesting commonly used as evidence.
• PSD2 RTS SCA — strong customer authentication testing for payment service providers.
• NIST CSF 2.0 — published Feb 2024, includes PR.IR and DE.CM domains.
• CMMC 2.0 — US defence supply chain, Level 3 requires third-party assessment.
• OWASP SAMM — Software Assurance Maturity Model.
• KNF Rekomendacja D / U — Polish Financial Supervision Authority IT security recommendations.

Pentest vs other security testing methods

• Pentest vs vulnerability scan — scans are automated and report known CVEs; pentests are human-driven, chain vulnerabilities into real attack paths, and demonstrate business impact. Use both: continuous scanning for breadth, annual pentest for depth. See /en/glossary/vulnerability-scanner/.
• Pentest vs red team — pentest seeks maximum vulnerability coverage in defined scope (1-4 weeks); red team simulates a specific adversary end-to-end to test detection and response (4-12 weeks). See /en/glossary/red-team/.
• Pentest vs purple team — purple team is collaborative red + blue with real-time knowledge transfer and detection-rule tuning. See /en/glossary/purple-team/.
• Pentest vs bug bounty — bug bounty is crowdsourced, continuous, pay-per-finding (HackerOne, Bugcrowd, YesWeHack, Intigriti); pentest is time-boxed, contracted, comprehensive. Bug bounties scale breadth; pentests guarantee depth and coverage.
• Pentest vs BAS (Breach Attack Simulation) — BAS is automated, continuous, MITRE ATT&CK-mapped; pentest is human-driven, creative, finds novel attack paths BAS cannot. Complementary.
• Pentest vs tabletop exercise — tabletops are paper-based incident response drills with stakeholders; pentests are live attacks against real systems. Both required for resilience.
• Pentest vs security audit — audit is broader (documentation review + interviews + policy compliance + sometimes light technical testing); pentest is purely offensive technical work. See /en/glossary/security-audit/ and /en/glossary/it-security-audit/.
• Pentest vs source code review — code review (SAST) reads source for vulnerabilities; pentest attacks running systems (DAST). White-box pentests combine both. See /en/glossary/source-code-vulnerability-analysis/.

2026 trends in penetration testing

• AI-augmented pentesting — Burp Suite AI Assistant (PortSwigger, 2024), Microsoft Security Copilot for pentest workflows, Nuclei AI-generated templates, ChatGPT / Claude / Gemini for payload generation and report drafting. AI accelerates reconnaissance and reporting; does not yet replace skilled humans for exploit chaining.
• Continuous / on-demand pentest (PtaaS — Pentest-as-a-Service) — platforms like Cobalt, Synack Red Team, Bugcrowd Pentest, HackerOne PenTest, Pentera enable rolling pentests with shorter cycles and faster remediation feedback loops.
• BAS integration — AttackIQ, SafeBreach, Cymulate, Picus, XM Cyber increasingly chained with traditional pentests for continuous validation.
• Cloud-native + Kubernetes specialisation — dedicated cloud pentest practices (Bishop Fox, NCC Group, Trail of Bits, Mandiant, IOActive) growing fastest by revenue.
• IoT / OT pentest — ICS-CERT advisories, Purdue model alignment, Stuxnet / Industroyer / Triton lessons applied. Specialised firms (Claroty, Nozomi, Dragos, Yarix) lead.
• Supply chain pentest — post-SolarWinds (2020), Log4Shell (2021), MOVEit (2023), 3CX (2023) attacks, dependency confusion, typosquatting, and SBOM analysis are now standard pentest scope additions.
• DORA TLPT explosion — EU finance sector ramping TLPT engagements from Jan 2025; expected 10-20x growth in TIBER-EU certified provider revenue 2025-2027.
• AI / LLM pentest — OWASP LLM Top 10 (2023, updated 2025) — prompt injection, insecure output handling, training data poisoning, model denial of service, supply chain (Hugging Face models), sensitive information disclosure, insecure plugin design, excessive agency, overreliance, model theft. Tools: garak, PyRIT (Microsoft), Promptfoo, Vigil.
• Web3 / blockchain pentest — smart contract audits by Trail of Bits, ConsenSys Diligence, CertiK, OpenZeppelin, Halborn, Quantstamp. Tools: Slither, Mythril, Echidna, Manticore, Foundry.
• Quantum-readiness pentest — early-stage testing of post-quantum cryptography (NIST PQC standards finalised 2024: CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, SPHINCS+) migration paths.

How nFlo conducts penetration tests

nFlo delivers manual, human-led penetration testing across all 8 categories above, performed exclusively by OSCP / CRTO / CRTP / CEH-certified senior testers with average 8+ years of offensive security experience. nFlo’s metrics across 200+ clients and 500+ delivered projects include a <15 minute average reaction time to critical findings discovered mid-test and 98% client retention — measured commitment to long-term security partnerships rather than one-off audits.

Engagement model: fixed-scope SOW with clear deliverables, NDA-protected communications via encrypted channels (Signal / PGP / encrypted email), TLP:RED report classification, redacted public version for compliance evidence, and post-test debrief workshops with the client’s blue team for knowledge transfer. nFlo maintains methodology alignment with OWASP WSTG, PTES, OSSTMM, NIST SP 800-115, and MITRE ATT&CK; reporting templates are designed for PCI DSS 4.0, ISO 27001:2022, NIS2, DORA TLPT, SOC 2, and HIPAA auditor consumption.

Sub-pillar deep dives (sister glossary HUB):

• API penetration testing
• Red team
• Blue team
• Purple team
• Security audit
• Vulnerability assessment
• Vulnerability management
• Phishing · Spear phishing · Whaling
• OWASP · OWASP Top 10
• Source code vulnerability analysis
• Security controls

Explore our services

• Penetration testing