Penetration testing engagements are commonly categorised by how much information the tester receives before beginning. Each approach simulates a different attacker profile and reveals different things.
Black Box Testing
In black box testing, the tester receives no prior knowledge of the target โ no source code, no architecture diagrams, no credentials. They approach the target the same way an external attacker would, starting from scratch with reconnaissance and discovery.
**Simulates:** An external attacker with no insider knowledge. **Strengths:** Tests the real external attack surface and discovery process; reveals what an outsider could find and exploit. **Limitations:** Time-constrained engagements may not reach the depth that a tester with some knowledge could achieve; may miss vulnerabilities in internal or authenticated functionality. **Best for:** External perimeter assessments, testing internet-facing applications from an attacker's perspective.
White Box Testing
In white box testing, the tester receives full knowledge โ source code, architecture documentation, credentials for all user roles, network diagrams, and configuration details. This enables the deepest possible assessment.
**Simulates:** A sophisticated attacker with insider access, or a thorough internal security review. **Strengths:** Maximum depth and coverage; the tester can examine source code for vulnerabilities, trace data flows, and test every user role and function systematically. **Limitations:** Less realistic as a simulation of an external attack; requires the organisation to share sensitive information. **Best for:** Critical applications where maximum vulnerability discovery is the priority, such as financial transaction systems, healthcare applications, or systems processing highly sensitive data.
Grey Box Testing
Grey box testing is the middle ground. The tester receives partial knowledge โ typically valid user credentials and basic documentation, but not source code or full architecture details. This is the most common approach for application penetration testing.
**Simulates:** An authenticated user who may be malicious, or an attacker who has compromised initial credentials. **Strengths:** Balances realism with depth; tests authenticated functionality and authorisation controls while still requiring the tester to discover the application's behaviour. **Limitations:** May not achieve the source-code-level depth of white box testing. **Best for:** Most web and mobile application assessments; testing authorisation, privilege escalation, and business-logic flaws within authenticated sessions.
Which Should You Choose?
The right choice depends on your objectives. For most enterprise application assessments, grey box testing provides the best balance of coverage and realism. For critical systems where maximum depth matters most, white box testing is appropriate. For external perimeter validation, black box testing simulates the real external threat. Many comprehensive engagements combine approaches โ for example, black box testing of the external perimeter followed by grey box testing of the application layer.