Black, grey and white box penetration testing

Black, grey and white box penetration testing

Black-box penetration testing

This is the sort of testing that is most similar to what a real attacker might do. The pentester would try to break into the system without any information about the internal systems or credentials provided before hand.

Grey-box penetration testing

In this pentest methodology the pentester has some information about the system. This could be diagrams, application logins, or VPN access, to name a few, but the the vast of the application architecture remains unknown to the attacker.

White-box penetration testing

This is the scenario where the pentester team has access to system info, source code, diagrams and other information about the architecture of the system. This type of testing is convenient when there are time constraints or the system owners assume that the attacker might already be in the system and want to spot where the system hole is.