Audits, Assessments, and Penetration Testing

What the Exam Is Really Testing

Candidates frequently confuse vulnerability assessments with penetration tests, and the exam is built to catch that confusion. A vulnerability assessment scans and reports. A penetration test exploits. One tells you what could go wrong. The other proves it.

Audits validate compliance. Assessments evaluate risk. Penetration tests prove exploitability. Each serves a different purpose, and choosing the wrong one wastes resources and creates false confidence.

The exam will describe evaluation scenarios and expect you to select the correct method, distinguish between testing environments (known, unknown, partially known), and understand the strategic differences between offensive and defensive approaches.

Audit Types

Audits are formal examinations of an organization's adherence to policies, standards, or regulations. The exam tests three types.

Internal audits are conducted by the organization's own audit team. Internal auditors report to management or the audit committee and provide an independent assessment of control effectiveness. The advantage of internal audits is deep organizational knowledge. The limitation is potential bias — internal auditors may face pressure from the people they are auditing.

External audits are conducted by independent third parties with no stake in the outcome. External auditors provide objective assessments and are often required by regulations or business partners. SOC 2 audits, ISO 27001 certification audits, and financial audits are all performed by external auditors. The advantage is objectivity. The limitation is that external auditors may lack deep contextual knowledge of the organization.

Regulatory audits are conducted by or on behalf of regulatory bodies to verify compliance with specific laws or regulations. These are mandatory — organizations cannot opt out. HIPAA audits, PCI DSS assessments, and banking regulatory examinations are examples. Failing a regulatory audit can result in fines, sanctions, or loss of operating authority.

Attestation is a formal statement or declaration by an authorized party that something is true. In security, attestation typically refers to a third-party auditor's formal statement that an organization's controls meet a specific standard. SOC 2 Type II reports are attestation reports — an independent auditor attests that the organization's controls were operating effectively over a period of time.

Assessment Types

Assessments evaluate different aspects of the security posture. The exam tests three types.

Risk assessment identifies and evaluates risks to the organization. It combines threat analysis, vulnerability identification, and impact estimation to determine overall risk levels. Risk assessments answer: "What could go wrong, how likely is it, and how bad would it be?"

Vulnerability assessment identifies and catalogs known vulnerabilities in systems, networks, and applications. Vulnerability assessments use automated scanning tools to detect unpatched software, misconfigurations, default credentials, and other weaknesses. They answer: "What weaknesses exist in our environment?"

A vulnerability assessment is not a penetration test. A vulnerability assessment identifies weaknesses. A penetration test attempts to exploit them. The distinction is critical on the exam.

Threat assessment evaluates the threats facing an organization based on its industry, geography, assets, and adversary landscape. Threat assessments answer: "Who or what is likely to attack us, and what capabilities do they have?"

Penetration Testing

Penetration testing simulates real-world attacks to determine whether vulnerabilities can actually be exploited. It goes beyond identification to prove exploitability and measure real-world impact.

The exam uses specific terminology for testing environments:

Known environment testing (previously called white box) provides the tester with full knowledge of the target environment — network diagrams, source code, credentials, system configurations. This approach is thorough and efficient because the tester does not waste time discovering what is already documented.

Unknown environment testing (previously called black box) provides the tester with no prior knowledge. The tester must discover the target environment through reconnaissance, just as a real attacker would. This approach tests the organization's detection capabilities and simulates an external threat actor.

Partially known environment testing (previously called gray box) provides limited information — perhaps user-level credentials or basic network information, but not full architectural details. This simulates an insider threat or a scenario where an attacker has gained initial access.

Reconnaissance

Reconnaissance is the information-gathering phase that precedes active exploitation. The exam tests two types.

Passive reconnaissance gathers information without directly interacting with the target. The target does not know it is being observed. Techniques include:

• OSINT (Open Source Intelligence) — searching public records, social media, job postings
• DNS lookups using public DNS servers
• WHOIS queries for domain registration information
• Reviewing publicly available documents and metadata
• Searching breach databases for leaked credentials

Active reconnaissance directly interacts with the target system. The target may detect this activity. Techniques include:

• Port scanning to identify open services
• Service enumeration to determine software versions
• Vulnerability scanning against target systems
• Network mapping to discover live hosts and topology
• Banner grabbing to identify service information

The key distinction: passive leaves no trace on the target. Active touches the target and may trigger alerts.

Physical Penetration Testing

Penetration testing is not limited to networks and applications. Physical pentesting evaluates the effectiveness of physical security controls.

Physical testing may include:

• Tailgating — following an authorized person through a secured door
• Badge cloning — copying access card credentials
• Lock picking — bypassing physical locks
• Dumpster diving — searching discarded materials for sensitive information
• Social engineering at reception — convincing staff to grant unauthorized access

Physical pentesting requires explicit authorization and careful rules of engagement. Without proper authorization, these activities are illegal.

Offensive vs. Defensive Security

Offensive security takes the attacker's perspective. Red teams simulate real adversaries, using the same tools, techniques, and procedures that actual threat actors employ. The goal is to find and exploit weaknesses before real attackers do.

Defensive security focuses on detection, prevention, and response. Blue teams monitor systems, analyze alerts, respond to incidents, and improve security controls. The goal is to detect and stop attacks.

Purple teaming combines offensive and defensive approaches. Red and blue teams work together, with the red team sharing attack techniques and the blue team refining detection capabilities. Purple teaming maximizes the value of both teams by creating a feedback loop.

Bug Bounty Programs

Bug bounty programs invite external security researchers to find and report vulnerabilities in exchange for rewards. They provide continuous testing from diverse perspectives at a fraction of the cost of maintaining a full-time red team.

Key considerations for bug bounty programs:

• Clear scope definition — which systems and vulnerability types are in scope
• Responsible disclosure requirements — how researchers must report findings
• Safe harbor provisions — legal protections for researchers acting in good faith
• Payment structures — rewards based on severity and impact

Compliance Automation Tools

Modern compliance programs increasingly rely on automation to maintain continuous compliance rather than point-in-time assessments. Compliance automation tools can:

• Continuously monitor control effectiveness against regulatory frameworks
• Automatically collect and organize compliance evidence
• Generate real-time compliance dashboards and reports
• Alert when controls drift out of compliance
• Map controls across multiple frameworks to reduce duplicate effort

The exam may present scenarios where manual compliance processes are inefficient and automation is the appropriate solution.

Pattern Recognition

When you see audit and testing questions, look for these patterns:

• If the question asks about formal compliance verification → audit
• If the question asks about identifying weaknesses without exploiting them → vulnerability assessment
• If the question asks about actively exploiting vulnerabilities → penetration test
• If the tester has full system knowledge → known environment
• If the tester has no system knowledge → unknown environment
• If the tester has partial knowledge → partially known environment
• If information is gathered without touching the target → passive reconnaissance
• If information is gathered by interacting with the target → active reconnaissance
• If the team simulates attackers → red team / offensive
• If the team defends and detects → blue team / defensive

Trap Patterns

The exam will try to mislead you with these common traps:

• Confusing vulnerability assessments with penetration tests. Vulnerability assessments identify weaknesses. Penetration tests exploit them. If the question describes active exploitation, it is a pentest, not a vulnerability assessment.
• Using old terminology. Security+ now uses "known environment" instead of "white box," "unknown environment" instead of "black box," and "partially known environment" instead of "gray box." Use the current terminology.
• Forgetting authorization requirements. Penetration testing without explicit written authorization is illegal. The exam may present scenarios where testing is conducted without proper authorization — this is always wrong.
• Confusing internal and external audits. Internal audits are conducted by organizational staff. External audits are conducted by independent third parties. The key differentiator is independence and objectivity.

Scenario Practice

Question 1

A security team runs automated tools to identify unpatched systems, misconfigured services, and default credentials across the network. The tools generate a report listing all findings ranked by severity, but no exploitation is attempted.

What type of activity is this?

A. Penetration test
B. Risk assessment
C. Vulnerability assessment
D. Threat assessment

Question 2

An organization hires a third-party security firm to test its external-facing web applications. The firm is given user-level credentials and told which applications are in scope, but they are not provided source code, architecture diagrams, or administrative access.

What type of penetration testing environment is this?

A. Known environment
B. Unknown environment
C. Partially known environment
D. Physical environment

Question 3

A security researcher discovers that an organization's job postings reveal detailed information about its internal technology stack, including specific firewall vendors, SIEM platforms, and cloud providers. The researcher did not interact with any of the organization's systems.

What type of reconnaissance was performed?

A. Active reconnaissance through service enumeration
B. Passive reconnaissance through open source intelligence
C. Physical reconnaissance through social engineering
D. Active reconnaissance through vulnerability scanning

Key Takeaway

The exam comes back to one question on this topic:

What is the organization trying to learn? Audits prove compliance. Assessments identify risk. Penetration tests prove exploitability. Using the wrong method for the wrong purpose gives you answers to questions you did not ask.

Match the method to the objective. Check how much the tester knows about the environment. Determine whether reconnaissance was passive or active. The right tool for the right job — that is always the correct answer.