These are conducted from the internet or from inside an organisation. Tests will determine if it is possible to gain access to sensitive information such as PII, Finance or Medical data. The scope will be discussed with clines and could including Applications, Databases and Cloud based resources. 

Testers will assess whether a user can escalate their privileges and gain usernames and passwords for other business users or access sensitive data. Check will be made to remove data from the corporate environment or whether a user can circumvent existing security controls to grant themselves inbound access to Organisations.