> For the complete documentation index, see [llms.txt](https://www.penetration-testing.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.penetration-testing.com/penetration-testing-methods-and-use-cases.md). # 🔧 Penetration Testing Methods & Use Cases - [Pentesting Approaches: White-Box, Gray-Box, and Black-Box](https://www.penetration-testing.com/penetration-testing-methods-and-use-cases/pentesting-approaches-white-box-gray-box-and-black-box.md): Penetration testing can be approached in several different ways, each offering varying levels of insight and requiring different types of information about the system under test. - [Penetration Testing Environments: How to Choose the Right Testing Ground](https://www.penetration-testing.com/penetration-testing-methods-and-use-cases/penetration-testing-environments-how-to-choose-the-right-testing-ground.md): Development, staging, and production environments each offer unique advantages for penetration testing. The right choice depends on your risk tolerance, compliance needs, and testing objectives. - [Internal vs. External Penetration Testing: Different Methodologies, One Complete Security Picture](https://www.penetration-testing.com/penetration-testing-methods-and-use-cases/internal-vs.-external-penetration-testing-different-methodologies-one-complete-security-picture.md): External and internal pentesting cover very different attack surfaces and uncover distinct types of vulnerabilities, making the strategic choice between them crucial for effective risk management. - [How to Prioritize Vulnerabilities - Understanding Risk Scoring (CVSS) in Penetration Testing](https://www.penetration-testing.com/penetration-testing-methods-and-use-cases/how-to-prioritize-vulnerabilities-understanding-risk-scoring-cvss-in-penetration-testing.md): Spoiler alert: base CVSS scoring alone doesn't determine your actual business risk. Discover how to prioritize penetration test findings using EPSS and context-based scoring. - [Beyond CVSS in Penetration Testing: A look at CWE, CWSS, and the Traditional Risk Rating way](https://www.penetration-testing.com/penetration-testing-methods-and-use-cases/beyond-cvss-in-penetration-testing-a-look-at-cwe-cwss-and-the-traditional-risk-rating-way.md): While CVSS scores severity, CWE, CWSS, and Traditional Ratings reveal root causes and contextual business risk. Read our guide to see real-world examples and understand vulnerability scoring. - [The Blueprint for a Better Penetration Test: How Threat Modeling Improves Offensive Security Outcome](https://www.penetration-testing.com/penetration-testing-methods-and-use-cases/the-blueprint-for-a-better-penetration-test-how-threat-modeling-improves-offensive-security-outcome.md): A Threat Model is a list of assumptions; a pentest is the reality check. Discover how combining them exposes hidden business logic flaws and turns theoretical risks into confirmed vulnerabilities. - [The Retest Trap in Penetration Testing: Why You Want Pentesters to Verify Your Fixes](https://www.penetration-testing.com/penetration-testing-methods-and-use-cases/the-retest-trap-in-penetration-testing-why-you-want-pentesters-to-verify-your-fixes.md): Vulnerability remediation demands rigorous retesting. Learn why expert verification is essential to address root causes, prevent logic flaws, and validate true remediation. - [What Is Cyber Threat Intelligence and Why Does It Matter for Penetration Testing?](https://www.penetration-testing.com/penetration-testing-methods-and-use-cases/what-is-cyber-threat-intelligence-and-why-does-it-matter-for-penetration-testing.md): Cyber threat intelligence provides ethical hackers or cybersecurity teams with actionable insights about current risks, enabling proactive defense against cyber threats. - [Penetration Testing for AI Systems: How to Secure Modern LLMs, Agents, and AI Infrastructure](https://www.penetration-testing.com/penetration-testing-methods-and-use-cases/penetration-testing-for-ai-systems-how-to-secure-modern-llms-agents-and-ai-infrastructure.md): As AI transforms business operations, the attack surface expands while security often lags behind. What should you know before launching AI products? - [Open source Frameworks for Agent-Based Penetration Testing](https://www.penetration-testing.com/penetration-testing-methods-and-use-cases/open-source-frameworks-for-agent-based-penetration-testing.md): The evolution from automated scanning to intelligent AI agents is reshaping how security professionals approach pentesting assessments. Discover the main frameworks leading this transformation. - [Collaborative Testing: Why Your Blue Team Should Watch the Pentest](https://www.penetration-testing.com/penetration-testing-methods-and-use-cases/collaborative-testing-why-your-blue-team-should-watch-the-pentest.md): Siloed penetration tests can limit defensive maturity, while mature programs gain more value from collaboration. Discover the key advantages of testers working in open communication with your team. - [Why Complex Access Paths Kill Penetration Testing Value](https://www.penetration-testing.com/penetration-testing-methods-and-use-cases/why-complex-access-paths-kill-penetration-testing-value.md): Complex access paths through VPNs, VDI, and jump boxes can degrade penetration test quality. Explore the key reasons and how staging environments eliminate friction in security assessments. - [Shadow IT & the Scoping Blind Spot: Why Your Penetration Test Could Be Missing Critical Assets](https://www.penetration-testing.com/penetration-testing-methods-and-use-cases/shadow-it-and-the-scoping-blind-spot-why-your-penetration-test-could-be-missing-critical-assets.md): Tight scoping creates a massive blind spot, leaving critical assets completely untested. Learn why Shadow IT is the “open window” attackers exploit first. - [The "Perfect Environment" Trap: Why Penetration Testing Shouldn't Wait](https://www.penetration-testing.com/penetration-testing-methods-and-use-cases/the-perfect-environment-trap-why-penetration-testing-shouldnt-wait.md): Waiting for the perfect opportunity to pentest is a dangerous misconception. Learn why attackers thrive during transitions and why you should test your environment as it exists today. - [Penetration Testing Fatigue: What to Do When You Haven't Fixed Last Year's Report](https://www.penetration-testing.com/penetration-testing-methods-and-use-cases/penetration-testing-fatigue-what-to-do-when-you-havent-fixed-last-years-report.md): Still drowning in last year's pentest backlog? Running another identical test won't help. Discover 3 ways to pivot the engagement and extract real value from your next penetration test. - [The Cloud Shared Responsibility Myth: Why Penetration Testing Must Cover Third-Party Integrations](https://www.penetration-testing.com/penetration-testing-methods-and-use-cases/the-cloud-shared-responsibility-myth-why-penetration-testing-must-cover-third-party-integrations.md): Cloud providers like AWS, GCP or Azure secure the infrastructure, but that doesn't mean your application is secure. Discover why third-party integrations could be your biggest untested attack surface. - [The WAF Illusion in Cybersecurity: Why Temporary Rules and Staging Servers Render Firewalls Useless](https://www.penetration-testing.com/penetration-testing-methods-and-use-cases/the-waf-illusion-in-cybersecurity-why-temporary-rules-and-staging-servers-render-firewalls-useless.md): A WAF buys you time. It doesn't fix your code. Learn why penetration testers consistently bypass enterprise firewalls and what true remediation actually requires. - [The Continuous Testing Trap: Why You Must Rotate Your Ethical Hackers](https://www.penetration-testing.com/penetration-testing-methods-and-use-cases/the-continuous-testing-trap-why-you-must-rotate-your-ethical-hackers.md): The same pair of eyes auditing your apps for years is a security liability. Discover the blind spots of static testing teams and the exact steps to run continuous penetration testing the right way. - [The Vendor Rotation Dilemma in Penetration Testing: Balancing Fresh Eyes with the Onboarding Tax](https://www.penetration-testing.com/penetration-testing-methods-and-use-cases/the-vendor-rotation-dilemma-in-penetration-testing-balancing-fresh-eyes-with-the-onboarding-tax.md): Rotating pentest providers eliminates blind spots but introduces significant onboarding overhead. Learn how to balance both forces and get the maximum return on your offensive security budget. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.penetration-testing.com/penetration-testing-methods-and-use-cases.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.