Understanding Your Attack Surface

Penetration testing isn’t a single, one‑size‑fits‑all activity. Your infrastructure likely includes internet‑facing web applications, internal network segments, cloud accounts, and APIs—each with different threat models and attack vectors. To validate security effectively, you need to test each layer with the right approach.

This guide breaks down the four main types of penetration testing, explains what each covers, and helps you determine which tests your organization needs.

External Penetration Testing

What it is

External penetration testing simulates an attack from the internet, targeting your publicly accessible assets. Testers attempt to identify and exploit vulnerabilities in perimeter defenses before an attacker does.

What it covers

• Public‑facing web servers and APIs

• Email servers and file‑sharing endpoints

• VPN gateways and remote access portals

• DNS records and subdomain enumeration

• Exposed cloud services and storage buckets

• SSL/TLS configuration and certificate issues
  
  

When to run it

• Before a SOC 2 or ISO 27001 audit

• After deploying new public‑facing infrastructure

• When preparing for a product launch

• Quarterly or semi‑annually for rapid validation
  
  

What to expect

External tests typically start with reconnaissance—mapping your public footprint through DNS enumeration, port scanning, and service fingerprinting. Testers then probe for common vulnerabilities like outdated software, misconfigurations, and weak authentication. Findings often include unpatched CVEs, exposed admin panels, and information disclosure issues.

Internal Penetration Testing

What it is

Internal testing assumes an attacker has already breached your perimeter—either through phishing, stolen credentials, or a malicious insider. The goal is to validate what damage they could do once inside.

What it covers

• Network segmentation and lateral movement

• Privilege escalation paths

• Unpatched internal systems

• Cleartext credentials in file shares

• Active Directory misconfigurations

• Database and service account exposure

When to run it

• When demonstrating compliance with frameworks that require insider threat testing

• After major network changes or mergers

• To validate Zero Trust initiatives

• Annually or when sensitive data locations change

What to expect

Internal tests often reveal overprivileged service accounts, flat networks with no segmentation, and stored credentials that enable lateral movement. Testers simulate an attacker moving from a compromised workstation to high‑value targets like databases, domain controllers, or backup systems.

Web Application Penetration Testing

What it is

Web application testing focuses on the logic, authentication, and data handling of your applications. Unlike external testing that targets infrastructure, this tests how your code handles untrusted input and enforces authorization.

What it covers

• Authentication and session management

• Authorization and access control flaws

• SQL injection, XSS, and injection attacks

• Business logic vulnerabilities

• API security and rate limiting

• File upload and processing flaws

When to run it

• Before launching a new application or major feature

• After security‑critical code changes

• As part of a secure development lifecycle

• When preparing for a compliance audit that requires application testing

What to expect

Web app tests uncover issues like broken access control (users accessing other users’ data), injection flaws that allow database manipulation, and authentication bypasses. Testers validate that sensitive operations require proper authorization and that input is sanitized before processing.

Cloud Penetration Testing

What it is

Cloud testing evaluates the security of your cloud infrastructure—focusing on identity, configuration, and service exposure rather than traditional network vulnerabilities.

What it covers

• IAM permissions and privilege escalation

• Publicly accessible storage buckets and databases

• Misconfigured security groups and network policies

• Serverless function vulnerabilities

• Container and Kubernetes misconfigurations

• Cloud service API abuse

When to run it

• After migrating workloads to AWS, Azure, or GCP

• When implementing infrastructure as code

• Before compliance audits that include cloud scope

• Quarterly to catch configuration drift

What to expect

Cloud tests often reveal overly permissive IAM policies, publicly exposed S3 buckets or Azure blobs, and security groups that allow broad network access. Testers attempt to escalate privileges through service‑specific misconfigurations and validate that secrets are properly protected.

Mobile Penetration Testing

Stay tuned, while we don’t currently support mobile testing we hope to share some exciting updates soon!

Mobile application testing evaluates iOS and Android apps for client‑side vulnerabilities, insecure data storage, and API abuse. This includes testing for hardcoded secrets, certificate pinning bypasses, and improper session handling.

Choosing the Right Test

Most organizations benefit from a combination of tests:

Minimum viable security posture

• External pentest: Validates your public‑facing risk

• Web application pentest: Covers your core applications

Compliance‑driven programs

• External or Web Application: Required by most frameworks depending on workload

• Internal: Can be useful for assumed breach scenarios and to validate alerting and internal controls

• Cloud: If workloads run in AWS, Azure, or GCP

Mature security programs

• All types on a rotating schedule

• Testing regularly after each deployment

• Retest after remediation to confirm fixes

The RedVeil Advantage

Traditional penetration testing requires scheduling weeks in advance, requiring team focus, and leaves you waiting for a final report. RedVeil brings agentic, on‑demand testing across external, internal, web application, and cloud environments.

Run the right test at the right time, see findings as they’re discovered, and retest instantly to validate that fixes actually reduce risk. Whether you need a quick validation before launch or flexible coverage for compliance, RedVeil adapts to your cadence.

Run the Right Tests, On Demand

Understanding the types of penetration testing helps you build a program that actually reduces risk instead of just checking a compliance box. But knowing what to test is only half the battle—you also need a testing approach that keeps pace with your development velocity.

RedVeil eliminates the bottlenecks of traditional penetration testing:

• Start testing in 5 minutes: Point our AI agents at your web apps, APIs, networks, or cloud—no kickoff meetings or lengthy contracts

• See real attack paths: Not just a list of vulnerabilities, but how issues chain together to create exploitable risk

• Get audit-ready reports: Export evidence for SOC 2, ISO 27001, HIPAA, or any compliance framework your auditors require

• Fix with confidence: Clear remediation guidance in plain English, then one-click retest to prove fixes work

• Test as often as you need: On demand testing means you can run external, internal, web app, and cloud testing whenever changes happen—not just once a year
  
  

Whether you need to validate your external perimeter before a product launch, run internal testing for compliance, assess web application security after a major release, or audit cloud configurations quarterly, RedVeil adapts to your timeline and budget.

No scheduling delays. No $20k PDFs. No waiting weeks for results. Just professional penetration testing that works the way modern teams ship software.

Ready to see real, exploitable risk? Start your first AI-powered pentest in minutes and discover what attackers could actually do to your systems—before they do it.