Audits and Assessments
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing CompTIA Security+ premium course — no separate purchase.
Included in this chapter:
- Attestation and the internal vs external audit split
- Penetration testing: environment knowledge, posture, and scope
- Reconnaissance and the four-phase pen-test methodology
- Exam-pattern recognition: assurance type and pen-test scope
Pen-test environment knowledge: how much the tester is told
| Environment knowledge | Known (white box) | Partially known (gray box) | Unknown (black box) |
|---|---|---|---|
| Information given to tester | Full: source code, architecture, credentials, diagrams | Limited: e.g., a user account or a network diagram | None: only a target name/scope, like an outsider |
| Real-world threat it simulates | A fully-informed insider or code auditor | A malicious insider or attacker with an initial foothold | An external attacker with no inside help |
| Effort spent on reconnaissance | Minimal: discovery is handed over | Moderate: fill gaps the partial info leaves | Maximum: most of the budget goes to discovery/OSINT |
| Speed and coverage | Fastest and most thorough per dollar | Balanced realism vs efficiency | Slowest; coverage limited by what discovery finds |
| Realism of outsider perspective | Lowest: not how an outsider sees you | Medium | Highest: mirrors a true external attack |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.