Even though there are many different types of penetration tests out there, there are also specific ways to do them. Aside from the usual external, internal, and other pen tests, you can also opt into different “box” types. These box types are black box, white box, and gray box. These different types of boxes can also be applied to things like software, but in this case, it will be specifically for penetration tests.

Each of the box types have their benefits when it comes to the penetration test that they belong to. To put it simply, the box is the information that the security analyst has when doing the penetration test. Black box is no information, white box is being given necessary information, and gray box is a certain level of access. With these box types, your penetration tests can give you different results each time.

What is penetration testing?

In order to understand black box, white box, and gray box testing, we need to know what a penetration test is to begin with. A penetration test is when a third-party cybersecurity firm tries to get into a company’s network. It is a fake, simulated attack where real-world methods are used in order to hack a company’s system.

These penetration tests are usually necessary to comply with government regulations. However, it is also good to get these tests to make sure your customers and employees are safe from bad actors. There are many penetration test types, including internal penetration, external penetration, PCI DSS penetration, and more.

Black Box Testing

The first in the three different types is the black box penetration test. As said above, black box, in its most simple state, is a penetration test with no access or information given to the security analyst. This is common for a test like a Red Team penetration test, but it can also be applied to a regular test like external and internal tests.

With no information for the security analyst, they will basically be going in blind. Realistically, this is how most bad actors and hackers function, so it is the most authentic display of how a real world attack might function. Granted, a security analyst can still get this information—it simply means he was able to get it from a different source.

However, since the box types work together, if a security analyst isn’t able to get access with the black box testing, it is highly unlikely that they will be able to test the network from within. This means that an internal penetration test may be unobtainable, depending on what the business wants to do. It’s always a good idea to get both box views when necessary.

White Box Testing

Opposite from black box testing, a white box test is when a security analyst is “whitelisted” to bypass security protocols and blockades. These tests are also sometimes called “open box” or “clear box” as well. With full access to a business’s network, a security analyst will be able to go through all of a business’s data to look for vulnerabilities and ways that threads can cause problems.

This is necessary to go with a black box test. Fortunately, since these go hand in hand, both types of tests can be performed on the same network from the same security analyst. In a way, they are put into a “box” and can perform different things within each box. So, with the white box giving access to everything, a security analyst will be able to provide the most detailed information and reports on vulnerabilities, threat levels, and more.

It may be a bit worrisome to give a third party such broad access to your company’s network. It’s understandable, considering you might want to protect your customers and employees. In that case, a business has every right to interview and have due diligence done in the spirit of protecting said data. It doesn’t change government regulations, after all—it needs to be done!

Gray Box Testing

With the two previous boxes explained, it’s easy to understand what gray box testing is. Between the two, a gray box test is when a security analyst is given access to a network at the level of an average user. Gray boxes will give the security analyst a certain level of access in the network, which can then be used for specialized points of interest in the network.

It is a bit more detailed than the black box test, but not as much access as the white box test. Getting past certain security protocols is sometimes necessary. For example, if a rogue employee wanted to cause damage to the business that they were a part of, what would they be able to access? What sort of information would they be able to take? A gray box would certainly be able to tell you that!


These box tests are an important part of a penetration test. Each of them fall under one of these categories, but each of them work together in some way. In order to get a full scope of a business’s network, then they will need to employ the use of each. There are many variations of penetration tests that can be done, after all.

With black box testing, a security analyst will have no information or levels of access when it comes to getting into the system. A white box test will provide the analyst with the most access to the network, which is important to get a greater scope of vulnerabilities and threats that can affect the system. Finally, a gray box test gives specific access levels to an analyst, who can pinpoint areas of the network that might be vulnerable.

Eddy Berry, Security Research Analyst

Eddy has been researching cybersecurity for a few years now. Finding specific trends and best practices is something he takes pride in, assisting in finding news and government regulation that are on the rise. He researches topics and writes articles based on current events and important vulnerabilities that are affecting people, always hoping to get the necessary cybersecurity steps to those that need them.