Every penetration test emulates an adversary to assess the security controls of the target systems. This type of testing can become very inefficient and expensive if the penetration testing team begins at the same starting point as would every adversary. To reduce the cost and simultaneously help the testers stay within the bounds of the test, penetration testers will usually conduct their testing with extra information about and access to the target systems that a real adversary would not necessarily have.
Example Comparisons
The amount and type of extra information and access provided to a penetration tester will depend on targets (e.g., network, building, application, etc.) and the test categorization (gray box, black box, or white box). The following table shows some examples of access and information for common penetration test targets. Gray Box is listed first because it is the most routine type of third-party penetration testing.
| Gray Box | Black Box | White Box | |
| External Network |
|
|
|
| Internal Network |
|
|
|
| Application |
|
|
|
Gray Box testing forms a balance between thoroughness and efficiency. It provides the best overall value from a third-party test in most cases. Since extra information such as accounts and specific targets are made available to the testing team, Gray Box testing eliminates
Black Box testing is a better emulation of an outside attacker than Gray Box testing. It requires more focus on reconnaissance activities and evasion techniques, often increasing the total effort.
White Box testing is the most thorough method of penetration testing, as it provides the testing team with supplemental visibility that a typical adversary would not have. White Box tests involve a more significant effort toward collaboration and analysis of the available information, such as configurations and source code.
Which method is best?
The answer to this question depends on what you need and who is doing the test. For example, it is not uncommon for an internal team to leverage White Box testing because obtaining additional information about the test targets is trivial. If you are hiring a third-party penetration testing company and don't know if you need a White Box or Black Box test, the safe option is to ask for a Gray Box test, as it should provide better coverage than a Black Box test with less effort and hassle than a White Box test.
