15 April, 2022

Gray Box vs White Box vs Black Box

Gray Box vs White Box vs Black Box
Jason Gillam
Author: Jason Gillam

Every penetration test emulates an adversary to assess the security controls of the target systems. This type of testing can become very inefficient and expensive if the penetration testing team begins at the same starting point as would every adversary. To reduce the cost and simultaneously help the testers stay within the bounds of the test, penetration testers will usually conduct their testing with extra information about and access to the target systems that a real adversary would not necessarily have.

Example Comparisons

The amount and type of extra information and access provided to a penetration tester will depend on targets (e.g., network, building, application, etc.) and the test categorization (gray box, black box, or white box). The following table shows some examples of access and information for common penetration test targets. Gray Box is listed first because it is the most routine type of third-party penetration testing.

  Gray Box Black Box White Box
External Network
  • Categorized list of Network Ranges
  • List of domains
  • Firewall exception
  • The name of the company
  • Everything in gray box
  • Internal configuration details as needed
  • Access to an internal subject matter expert
Internal Network
  • Valid test user accounts
  • Workstation on domain
  • Categorized list of network ranges
  • A physical network port or connection
  • Everything in gray box
  • Access to a subject matter expert
  • Visibility into monitoring of specific controls
  • Test user accounts for various roles
  • Firewall exception
  • URL(s) for the target application
  • Everything in gray box
  • Access to development team
  • Application source code

Gray Box testing forms a balance between thoroughness and efficiency. It provides the best overall value from a third-party test in most cases. Since extra information such as accounts and specific targets are made available to the testing team, Gray Box testing eliminates

Black Box testing is a better emulation of an outside attacker than Gray Box testing. It requires more focus on reconnaissance activities and evasion techniques, often increasing the total effort.

White Box testing is the most thorough method of penetration testing, as it provides the testing team with supplemental visibility that a typical adversary would not have. White Box tests involve a more significant effort toward collaboration and analysis of the available information, such as configurations and source code.

Which method is best?

The answer to this question depends on what you need and who is doing the test. For example, it is not uncommon for an internal team to leverage White Box testing because obtaining additional information about the test targets is trivial. If you are hiring a third-party penetration testing company and don't know if you need a White Box or Black Box test, the safe option is to ask for a Gray Box test, as it should provide better coverage than a Black Box test with less effort and hassle than a White Box test.

Join the professionally evil newsletter