Black box testing, also referred to as external penetration testing, gives the ethical hacker little to no early information about the IT infrastructure or security of the company beforehand. Black box tests are often used to simulate an actual cyberattack.

Tests start from outside the network where the tester doesn’t know about in-place security systems or local network architecture. Since the simulated attack is blind, these tests can be the most time-consuming.

White box testing is where the tester has full knowledge of the network infrastructure and security systems in place. While these tests don’t mimic what a real outside attack might look like, they are one of the most thorough types of tests you can have performed.

White box tests can also simulate what an inside attack may look like since the tester starts inside the network with insider knowledge of how the network is structured. While white box testing can be completed quickly due to its transparent nature, enterprise organizations with many applications to test may still have to wait several months for complete results.

Gray box is a blend of the first two techniques and allows the tester partial access or knowledge into the company network. Gray box is often used when testing a specific public-facing application with a private server backend. With this combined information, the tester can attempt to exploit specific services to gain unauthorized access into other parts of the network.

The timeframe for a gray box test is usually less than a black box test, but longer than a white box test due to the testers’ limited network knowledge of the network.