Domain 5 of 5 · Chapter 5 of 6

Audits and Assessments

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing CompTIA Security+ premium course — no separate purchase.

Included in this chapter:

  • Attestation and the internal vs external audit split
  • Penetration testing: environment knowledge, posture, and scope
  • Reconnaissance and the four-phase pen-test methodology
  • Exam-pattern recognition: assurance type and pen-test scope

Pen-test environment knowledge: how much the tester is told

Environment knowledgeKnown (white box)Partially known (gray box)Unknown (black box)
Information given to testerFull: source code, architecture, credentials, diagramsLimited: e.g., a user account or a network diagramNone: only a target name/scope, like an outsider
Real-world threat it simulatesA fully-informed insider or code auditorA malicious insider or attacker with an initial footholdAn external attacker with no inside help
Effort spent on reconnaissanceMinimal: discovery is handed overModerate: fill gaps the partial info leavesMaximum: most of the budget goes to discovery/OSINT
Speed and coverageFastest and most thorough per dollarBalanced realism vs efficiencySlowest; coverage limited by what discovery finds
Realism of outsider perspectiveLowest: not how an outsider sees youMediumHighest: mirrors a true external attack

Decision tree

How much information will the tester be given? Full info Known (white box) code / architecture / credentials Limited info Partially known (gray box) simulate insider / foothold Nothing Unknown (black box) simulate external attacker Include physical / social- engineering methods? Yes Physical penetration test tailgating, keyloggers, theft No — network only Test detection & response, not just prevention? Yes Integrated (purple team) red attacks, blue defends, together No Offensive (red team) exploit to prove impact Always first: written rules of engagement + management approval (planning phase — no testing yet)

Cheat sheet

  • Attestation is a signed claim, not a discovery
  • Internal vs external audit turns on independence, not rigor
  • Internal audit forms: compliance, audit committee, self-assessment
  • External audit drivers: regulatory, examination, third-party
  • A self-assessment cannot satisfy an independence requirement
  • A pen test mimics real attacks to circumvent security
  • Environment knowledge: known, partially known, unknown
  • Known is fastest; unknown is the most realistic outsider
  • Posture: offensive (red), defensive (blue), integrated (purple)
  • Physical pen testing extends the attack surface past the network
  • Passive vs active recon turns on whether you touch the target
  • NIST pen-test lifecycle: planning, discovery, attack, reporting
  • Attack phase: exploit, escalate, pivot, loop back to discovery
  • Audits and assessments are point-in-time assurance, not the scan loop
  • SOC reports: SOC 1 financial, SOC 2 security, SOC 3 public; Type 1 vs 2

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. CompTIA Security+ (SY0-701) certification and exam objectives
  2. Technical Guide to Information Security Testing and Assessment (SP 800-115) Whitepaper