Skip to content
32 Pentesting Methods

title: “[03] CISSP Cheatsheet - Penetration Testing Methods” date: 2026-07-05 authors:

  • Your Name

πŸ“˜ Topic: Penetration Testing Methods

Domain: D7 – Security Operations
Tags: #cissp #pentest #redteam


🧾 Definition

Penetration testing is an authorized, simulated attack against systems, networks, or applications to identify exploitable vulnerabilities and assess the effectiveness of security controls. Common approaches include black-box, gray-box, and white-box testing.


πŸ”‘ Key Points

  • Phases: planning/scoping, reconnaissance, scanning, exploitation, post-exploitation, reporting, and remediation verification.
  • Scopes and rules of engagement must be clear and legally approved.
  • Use testing to validate controls and inform risk-based remediation.
  • Retest after fixes to ensure remediation effectiveness.

⚠️ CISSP Insight

  • CISSP emphasis: testing supports assurance activities and must be governed to avoid unintended disruption or legal exposure.

βš”οΈ Key Difference / Trap

  • Black-box vs Gray-box vs White-box
    • Black-box = tester has no internal knowledge
    • Gray-box = tester has limited knowledge (e.g., credentials)
    • White-box = tester has full knowledge (source code, architecture)
  • Trap: Running intrusive tests in production without approval or rollback plans.

πŸ—οΈ Example

An external firm performs a scoped web application pentest under an RoE, finds an authentication bypass, and the internal team builds a patch and validates the fix with a retest.


πŸ“š References

  • NIST SP 800-115 β€” Technical Guide to Information Security Testing and Assessment
  • OWASP Testing Guide and ASVS
  • ISO/IEC 27001 and 27002 related controls

πŸ” Quick Recall

  • Pentest = authorized attack simulation; plan scope, follow RoE, and retest after fixes