Penetration tests are categorized by how much information the tester has. Black box simulates an external attacker with no knowledge. White box gives full access—like an internal audit. Gray box is somewhere in between.
- Little or no information provided
- Simulates external attacker
- Most realistic attack simulation
- Takes more time
- Full information provided
- Network maps, credentials, source code
- Most thorough assessment
- Faster, deeper testing
- Partial information provided
- Simulates insider threat
- Balance of realism and efficiency
- Most common in practice
Choice of test depends on: Budget, time constraints, threat model, and compliance requirements.