...
SECURITY INCIDENT?
We help 24/7, click here

6 Important Questions in Pentesting

6 Important Questions in Pentesting

Penetration tests and code reviews are necessary to demonstrate the resilience and effective operation of the security.

1. What types of pen testing are there?

Penetration tests have 3 different attack scenarios. These are performed to uncover vulnerabilities in your (web) application, website, IT infrastructure, API links and mobile apps. These scenarios are the Black Box, Grey Box and the White Box. They are briefly explained below. In all cases, pen tests are performed according to international standards at NFIR.

  • Black Box pen test. In comparison, a Black Box audit is the closest thing to a real attack as malicious hackers would perform it. No information has been provided by the client in advance. Our ethical hackers will use open source research (OSINT) to map out your environment. So they can look for vulnerabilities.
  • Grey Box pen test. In this pen test, ethical hackers identify vulnerabilities in your (web) application, website, IT infrastructure, API links and mobile apps, both without and with information.
  • White Box pentest (also called Crystal box). During a White Box audit, all information is provided in advance in order to specifically search for vulnerabilities. Think of source code, defined scope, roles/rights matrix and functionalities list.

Step by step to a secure (online) environment

2. What is the difference between a pen test and a vulnerability scan?

The biggest difference between a pentest and a vulnerability scan concerns the scope of what is examined. A vulnerability scan provides a general picture of how IT security is organised. A pen test provides a more detailed picture of current IT security. A vulnerability scan finds commonly known vulnerabilities, identifies common configuration errors and provides technical risk assessments for each vulnerability. So does a pen test and much more. A pentest provides a more detailed picture of current IT security, focusing on all potential weaknesses. In a pentest, the ethical hacker also actively seeks out vulnerabilities through a dose of creativity. A pentest therefore gives a more complete picture because a hacker does the same during an attack.

3. Why are certified experts needed for penetration testing?

The NFIR pentesters have followed relevant training courses and obtained certifications such as OSCP. In addition, they have all received chief of police approval and signed confidentiality agreements. Furthermore, our pentesters have a large amount of experience, plenty of creativity and up-to-date professional knowledge.

Let us assess your risks!

Find out how safe you really are and contact us today.

Contact about pen testing

4. How long does a pen test take?

How long a pentest takes strongly depends on the environment that needs to be tested and the agreements made with the client about the attack scenarios to be used. To properly perform a pen test, NFIR recommends a minimum of 40 hours. In those 40 hours the environment is tested and the report is written. Would you like appropriate advice for your environment or (web) application? Please contact us for an introductory and intake interview!

5. Which attack scenario best fits my organization, Black box or white box scenario?

With a pentest based on the White Box principle, all information about the environment is shared beforehand. The pen testers can test the environment very specifically, because they know in advance what they are dealing with. This variant leads to a thorough pen test of the client’s environment. A Black Box pentest means that no information about the environment is shared with the pen testers beforehand. However, an area of investigation (scope) is always established, so the pen test is limited. The pen testers work like real hackers in this variant. If you are having a pentest performed for the first time and want to get an overall picture of your security, it is useful to have a Black Box pen test performed.

Black box pen testing hacker organization applications security information

Black Box pentest

A Black Box audit can be compared to a real attack, like hackers would do. No information has been provided by the client in advance. Our ethical hackers will use open source research (OSINT) to map out your environment. So they can look for vulnerabilities.

Grey box pen testing risk hackers automated network penetration test the netherlands

Grey Box Pentest

In this pentest, ethical hackers identify vulnerabilities in your (web) application, website, IT infrastructure, API links and mobile apps, both with and without information. 

white box pentesting ethical hardware vulnerability pentester security audit computer systems

White Box Pentest

(a.k.a. Crystal box). During a White Box audit, all information is provided in advance in order to specifically search for vulnerabilities. Think of source code, defined scope, roles/rights matrix and functionalities list.

Discover Our Pentest Services!
Do you need a thorough pen test for your application, website, IT infrastructure or mobile apps?
NFIR’s experts carefully uncover vulnerabilities.
Contact us directly to see how we can help you!

6. What does a grey-box pen test offer more than a black-box?

A Grey Box Penetration Test is an intermediate form of the Black Box and White Box Penetration Test, in which the researchers have limited login details and information at their disposal. Because the pentester receives limited information from the organization, it is by definition better informed than a malicious hacker. The Grey Box pentest is generally used to see how safe an environment is from the perspective of an employee or customer.

Tip: Make good arrangements for the pen test

Good appointments ensure that a pen test can run smoothly. It is important that it is clear beforehand what is expected from both parties. The most important thing is clarity about the scope of the assignment in order to have clarity about what is being tested, within which agreed time (and what the costs are). The assignment must be clear and the information required in advance must be provided on time, otherwise a pen test cannot begin. We agree when the information must be delivered, when the pen test will take place, what the pen test means for the daily operations of your company and when the report will be delivered.

What pentest methodology and standards to use?

In order to carry out a successful pentest, NFIR uses various methods for testing information security. The three most important standards (depending on the environment being tested) are the Penetration Execution Standard (PTES) and the 2 standards of the organization Open Web Application Security Project (OWASP). The standards are; The WSTG and the MASTG. The Common Vulnerability Scoring System version 3.1, abbreviated to the CVSS risk model, is used to determine the severity of a vulnerability. This international model is used by NFIR to classify security breaches.

NFIR is a specialist in the field of cyber security. We help organizations limit the consequential damage of a cyber incident and secure digital forensic evidence to identify the cause of the damage. In addition, our services can help you increase your resilience against cyber incidents and support you in improving your digital vital infrastructure. Our experienced staff, all of whom have received approval from the Chief of Police, are able to support and advise you in a no-nonsense manner with our preventive services and reactive services.

You may have many questions about pentesting. We offer a free 15 minute consultation to answer your questions.
Ask your questions about a vulnerability scan or a pen test during a free consultation.

  • What do you choose, a vulnerability scan or a pen test?
  • How many hackers try to break into my server each day?
  • Would you like to have an advice, pen test, investigation or audit carried out?
  • What exactly is a pen test, what variants are there, what is involved and what is the use of a pen test?
  • Is a pen test sufficient for good security?
  • How can a firewall look into encrypted packets?
    What do I do to help the organisation prepare for a pen test?
  • Why hire nfir’s ethical hackers for pen tests?

Do you need more information about the possibilities of penetration testing within your organization?

High quality pen testing

Certified and quality-oriented pentesters

Pentests are essential to test the technical resilience and effective operation of security. Our pentesters focus on identifying vulnerabilities in systems by deploying various attack techniques. Our skilled and professional pen testers have extensive experience, creativity and up-to-date professional knowledge. The pentesters have completed various relevant training courses and hold the following certifications, among others, OSCP, OSWP, OSWE, OSEP, CPTS, CBBH, and eWPT.

Pentesting and the CCV seal of approval:

  • This quality mark, based on NEN-EN-ISO/IEC standards 17021 and 17065, gives customers the guarantee that the execution of a pen testing assignment by NFIR is carried out in a professional and high-quality manner.
  • NFIR possesses since 07-01-2022 the CCV quality mark for Pentesting. logo ccv nl, Center for Crime Prevention and Security, pentest seals of approval.

I want to pentest my environment(s)!

Once you fill out this form, we will contact you immediately to inform you of the possibilities. We schedule a no-obligation intake with a Technical Lead to coordinate scope components and attack scenarios.

Do you have any questions in the interim? If so, please contact us by phone at the general NFIR phone number: 088 313 0205

Stay up to date on the latest Security Threats

Stay on top of the latest IT Security threats by signing up for our Threat Intelligence reports. As soon as we publish a new Threat Intelligence report, you will be notified immediately by email.

"*" indicates required fields

Name*
This field is for validation purposes and should be left unchanged.
Elementor Footer #15975

NFIR - Rijswijk

  • Laan van Zuid Hoorn 165
    2289 DD Rijswijk
    Netherlands
  • Directions

NFIR - Zwolle

  • Burgemeester Roelenweg 12
    8021 EV Zwolle
    Netherlands
  • Directions

Contact

Elementor Footer #15975
Elementor Footer #15975
Elementor Footer #15975

Copyright © 2025 NFIR B.V.

SECURITY INCIDENT BIJ UW ORGANISATIE?

De volgende 30 minuten zijn van cruciaal belang​!

De eerste 30 minuten na een cyber security incident zijn cruciaal, omdat een snelle en adequate reactie de schade kan beperken. Daarnaast kan verdere verspreiding van de aanval worden voorkomen en kan essentieel bewijsmateriaal veiliggesteld worden voor nader onderzoek.

Ons Computer Emergency Response Team (CERT) staat 24/7 klaar om bedrijven en organisaties te ondersteunen bij IT-beveiligingsincidenten.

Heeft uw bedrijf professionele hulp nodig bij een beveiligingsincident? 

Bel ons 24/7 !
* LET OP: Wij werken uitsluitend voor bedrijven en organisaties.

SECURITY INCIDENT AT YOUR ORGANIZATION?

The next 30 minutes are crucial!

The first 30 minutes after a cyber security incident are crucial because a quick and adequate response can limit the damage. In addition, further spread of the attack can be prevented and essential evidence can be secured for further investigation.

Our Computer Emergency Response Team (CERT) is available 24/7 to support businesses and organizations during IT security incidents.

Does your company need professional help with a security incident?

Call us 24/7 !
* PLEASE NOTE: We work exclusively for companies and organizations.