🕵️ Penetration Testing Language
5 exercises — white-box/black-box, scope of engagement, reconnaissance, pivoting, and reporting vocabulary for security assessments. Advanced
0 / 5 completed
1 / 5
A security team brief states: "This is a black-box assessment — the testers have no prior knowledge of the system."
Which description correctly distinguishes black-box, white-box, and grey-box testing?
Black/white/grey box refers to how much prior knowledge and access testers have — not the network position or authentication state.
| Assessment type | Tester knowledge | Pros | Cons |
|---|---|---|---|
| Black-box | Zero — simulates an external attacker with no insider knowledge | Realistic attacker simulation; tests external defences | Time-intensive; may miss internal vulnerabilities |
| White-box | Full — source code, architecture, credentials, design docs | Maximum coverage; finds logic flaws missed by automated tools | Expensive; doesn't test external-facing defences |
| Grey-box | Partial — user credentials, API docs, but not source code | Most common real-world engagement; good depth-to-cost ratio | May miss issues only visible with full source access |