Testing methods

In the field of offensive security the terms Black-, Grey and White-Box Testing are frequently used. But what do they mean?

Term usage

During a penetration test configuration or assessment, the terms Black-Box, Grey-Box and White-Box are frequently used.
They occur with the following pentests for instance:

Active Directory Assessment

Attacks without credentials (black-box), as a valid domain user (grey-box) or Domain Admin (white-box)

Pentest of Applications

Test without credentials (black-box), as a regular application user (grey-box) or source code assisted (white-box)

Scenario-based tests und assessments

Analysis without prior information or credentials (black-box) or with additional information and valid accounts (grey-box)


Perspective of an external attacker without knowledge about the target. The attacker does not have documentation nor credentials.


Perspective of an attacker with deeper knowledge of the target, e.g., a valid application user with access to the target.


Perspective of a developer or auditor with access to internal documents and the source code of the target.