There are several general categories of assessment that an organization can use to help define the scope of a pen test engagement.
- Goal-based or objective-based assessments provide focus points for the pen test. They begin by the client listing the items or information that needs to be protected. Then, the pen test team will develop plans to obtain the goal or objective through any attack techniques available. This approach closely mimics the attacks that might be launched by a malicious party, so they can provide significant ROI for the client organization.
- Compliance-based assessments are government- or industry-required tests based on an established compliance framework. Common US compliance frameworks include PCI DSS, DISA STIG, FEDRAMP, and FISMA.
- Red team assessments test an organization's detection and response capabilities by emulating a malicious actor who targets attacks and avoids detection. The red team accesses sensitive information any way it can without being caught in the act. Red teams usually have longer time frames in which to work. Because stealth and avoidance is of great importance to the red team, they function more like an advanced persistent threat (APT), keeping a low profile while infiltrating the network. By contrast, pen test teams are usually time constrained and often cannot afford to be as patient. As such, they may be "noisy," while red teams are "quieter."
The idea of color teams evolved from military readiness exercises. In general, red teams attack, while blue teams defend. In some instances, purple teams help coordinate interactions between red and blue teams, and in other cases, white teams establish rules and monitor the testing.