FAQ : #White box
What is the difference between a black box, gray box, and white box pentest?
The main difference between black box, gray box, and white box testing lies in the level of information provided to the tester before starting the simulated attack.
- In black box, the attacker has no prior knowledge of the system. They act as an external hacker and attempt to access resources without any assistance. This type of test is realistic for simulating an external attack, but it is often limited to what can be guessed or discovered from the outside.
- In gray box, the tester has some technical information or partial access (such as a user account). This reflects a scenario where the attacker has already infiltrated part of the system or possesses internal knowledge, such as a former employee.
- In white box, all information is provided: source code, technical documentation, administrator access. This type of test provides a complete view and allows for the identification of deep vulnerabilities, often invisible from the outside.
Each approach has its advantages, and the choice depends on the objectives of the test and the level of risk to be covered.