Unauthenticated vs Authenticated Penetration Testing. What’s right for you?

Fort Knox, home to America’s gold bullion reserves, is synonymous with impenetrability.

Despite formidable and multi-layered defensive measures, could an attacker still identify security gaps and penetrate the perimeter?

Regularly checking perimeter defences can help identify potential vulnerabilities. Conducting assessments from the outside, like an attacker without access credentials, is an Unauthenticated test.

But what if an attacker malevolently obtains access credentials? What if an attacker is invited inside by an employee? What if an aggrieved employee turns nefarious and becomes an attacker? Security measures within the Fort need to be assessed to limit the damage of an attack launched from the inside.

Conducting assessments like an attacker already on the inside is an Authenticated test.

This is the fundamental difference between
Unauthenticated and Authenticated Penetration Testing.

An Unauthenticated Penetration Test is an examination of an asset without login credentials – usually a username and password. It simulates how a random outside attacker would approach the asset.

Conversely, an Authenticated Penetration Test is an examination of an asset from the perspective of an attacker who has managed to gain entry, whether with compromised login credentials, or a malicious employee with access rights.

Whether you decide to undertake an Unauthenticated or an Authenticated Pen Test, it’s important you understand the differences between the two so you can make the right decision based on what you’re trying to achieve.


How does this differ from External and Internal Penetration Testing?

All too often ‘External’ is used interchangeably with ‘Unauthenticated’, while ‘Internal’ is used interchangeably with ‘Authenticated’.

However these terms are not synonymous.

    • External Penetration Testing refers to assets that are externally facing. Such assets are usually accessible via the internet. Some examples may include websites, email systems, or file sharing platforms.
    • Internal Penetration Testing refers to assets that are internally facing. These are accessible from within an organisational environment, such as a network or a server.

Both External and Internal assets can be tested in an Unauthenticated or an Authenticated way, depending on whether you have access credentials.

• No access credentials = Unauthenticated
• Access credentials = Authenticated

With an Unauthenticated Pen Test you’ll know whether an intruder can breach your defensive perimeter. With an Authenticated Pen Test you’ll know what damage they can do if they’re already on the inside.

External vs Internal

External Penetration Testing examines externally facing assets that are usually accessible through the internet. Examples include email, websites and file sharing platforms.

Internal Penetration Testing examines internally facing assets, such as networks or servers, that are accessed from within an organisational environment.

Unauthenticated vs Authenticated

Unauthenticated Penetration Testin involves examining the security perimeter of an asset without any login credentials or access rights.

Authenticated Penetration Testing involves examining an asset with login credentials or access rights in order to determine how much manoeuvrability someone has once inside.

‘External’ and ‘Internal’ refer to the type of asset being examined.
Both types of assets can be tested in either ‘Unauthenticated’ or ‘Authenticated’ ways.



When deciding what type of Penetration Testing is right for you, start with a clear awareness of what you’re trying to achieve.

If your goal is to satisfy certain compliance standards that require regular perimeter testing, an Unauthenticated Penetration Test may suffice. You will gain awareness of vulnerabilities, such as open ports in firewalls, that could be used by attackers to breach your perimeter defences.

There certainly is merit in such an exercise, and it may be all that’s required in certain circumstances.

However, for a more complete picture of what damage an intruder could do once they’re on the inside, Shearwater recommends you undergo an Authenticated Penetration Test.

Authenticated Penetration Testing is best practice because we examine both your perimeter, as well as your internal security defences.


With Shearwater’s Authenticated Penetration Testing, you’ll benefit from:

❖ Greater Accuracy about your Risk Profile

Having accurate information is essential when assessing risk.While Unauthenticated Pen Testing can highlight perimeter security gaps, it has its limitations.Conducting Authenticated Penetration Testing offers deeper awareness into potential risks from a broader range of vulnerabilities.

Whether you’re testing a network, operating system, web application, or any other type of External or Internal asset, Authenticated Penetration Testing ensures you have an accurate and complete picture, so you can correctly assess your organisation’s risk profile.


❖ Protect Yourself from Malicious Insider Threats

Malicious insider threats are an increasing risk for many organisations.

Fraud, sabotage, and data theft can be inflicted by trusted insiders, such as employees, who may be motivated by financial gain or vengeance.

With an Authenticated Penetration Test you’ll know what damage an individual with malicious intent could inflict if they are already inside your defensive perimeter.

By allowing security analysts to access your system as privileged users, for example with login credentials, you’ll have the ability to detect vulnerabilities from within, whether they be weak passwords, malicious software or configuration issues.


❖ Strengthen your Security Posture Against Intruders

Authenticated Penetration Testing simulates circumstances in which an intruder gains access to your systems without your knowledge.

They may have obtained access by compromising legitimate users as a result of “password spraying” or “credential stuffing” attacks.

Whatever method was used to obtain illegitimate access, you need to strengthen your security posture by limiting the amount of access they have once they’re on the inside.

Only by conducting Authenticated Pen Testing will you have the visibility to know what needs to be done to compartmentalise and restrict internal lateral mobility.  

Furthermore, strengthening your security posture is important to maintaining a competitive advantage in an era of heightened cybersecurity concerns. It demonstrates your organisation’s commitment to cybersecurity and data confidentiality.


How Shearwater can help you

Heighten your organisation’s security with Shearwater’s team of expert Penetration Testers.

By engaging our team to undertake Authenticated Penetration Testing, we go the extra mile by examining both your perimeter and your security defences within the perimeter.

The aim of an Authenticated Pen Test is to identify and exploit vulnerabilities relating to:

  • Access Permissions;
  • Security Configurations; and
  • Data Protection Mechanisms.

We offer in-depth executive level reporting which serves as a risk minimisation tool for management, and a technical document – listing vulnerabilities prioritised according to risk level – for the internal security team to remediate.

The report also provides access to mitigation strategies based on Shearwater’s key insights into the cyber-threat landscape.