There are different methods of PEN testing depending on your requirements. They are called black box, grey box, or white box tests.
A black box test is a complete assault testing where you do not provide any information about your infrastructure. You may provide no more than a URL or even just the company name. Our testers would behave like real hackers and will test IT systems, the behavior of employees (social engineering) and physical security (building security, data center security, etc.).
In contrast, in a white box test we will receive extensive information about the target (e.g., network maps, source codes or internal information that is available to every employee) to focus on certain areas to identify specific weak points and design protection measures.
A grey box test is obviously a combination of the two opposite methods. In this scenario, we will have access to partial information (e.g., user information of a conventional user) and are checking what can be done with this piece of information. For example, circumvent security measures and gain higher rights to steal valuable information.
The white box test is ideal for initial testing as it allows us to get a holistic overview of your systems and infrastructure and therefore makes sure that most if not all existing vulnerabilities will be found and can be fixed.
It is important to recognize that a PEN test is always just a snapshot in time. If a new release or just a software update goes live after our testers have left, new problems might be introduced that were not covered in the previous test. And we all know it will happen, just look at how many problems a simple operating system update introduces to your computer.
Therefore, an initial test needs to be followed by supporting measures like a comprehensive penetration testing program that may include additional services like for example a bug bounty program.