There are essentially three types of penetration testing: white box, black box, and gray box.
– White Box Testing
White box testing is when the testing team has access to network diagrams, asset records, and other useful data. This method is used when budgets are tight and the number of allowed hours is limited. This type of testing is the least realistic, in terms of what an attacker may do.
– Black Box Testing
Black box testing is when there is definitely no information provided to the penetration testing team. Actually, using this method of testing, the penetration testing team may only be given the organization name. Other times, they may be given an IP range and other parameters to limit the potential for collateral damage. This type of testing most accurately represents what an attacker may do and is the most realistic.
– Gray Box Testing
Gray box testing is, you guessed it, somewhere in between white box testing and black box testing. This is the best kind of penetration testing where the penetration testing team is provided with limited information and only as needed. So, as they work their way from the outside in, more access to information is granted to speed the process up. This method of testing maximizes reality while remaining budget friendly.