arrow_back All resources
// Resources

Types of Penetration Testing: Black-Box vs Grey-Box vs White-Box

Published June 3, 2026

Penetration testing types are described in two dimensions: by the level of access the tester is given — black-box, grey-box, or white-box — and by what is being tested — web application, mobile application, infrastructure, or Active Directory. Choosing the right combination depends on your threat model and budget.

By level of access

Black-box testing

The tester starts with no inside knowledge — just a target, like a real external attacker. It best simulates an opportunistic outsider, but it is the least efficient: time is spent on discovery that a white-box test would skip.

White-box testing

The tester receives full information — source code, architecture diagrams, credentials. This finds the most issues per hour and is ideal for deep assurance of critical applications. It does not simulate an external attacker’s starting point, but it maximizes coverage.

Grey-box testing

The tester gets partial knowledge — typically standard user accounts and some documentation. This simulates an attacker who already has a foothold, or a malicious insider. For most organizations, grey-box is the best balance of realism, coverage, and cost, which is why it is the most commonly requested approach.

By target

The access level above applies to whichever system you are testing. The four most common targets are:

  • Web application & API — the most common engagement. Tests authentication, access control (IDOR), injection, business-logic flaws, and API security.
  • Mobile application — iOS and Android, covering insecure storage, inter-process communication, and the backend APIs the app talks to.
  • Infrastructure / network — external and internal perimeter testing, finding misconfigurations and exploitable services.
  • Active Directory — privilege escalation and lateral-movement path analysis inside Windows domains, mapping the route from a foothold to Domain Admin.

We perform all four — see our services for scope details, and our methodology for how each engagement runs.

How to choose

  1. Map your attack surface. What is internet-facing? What holds sensitive data?
  2. Pick the targets that match. A fintech app needs web/API and likely mobile; an enterprise also needs infrastructure and AD.
  3. Choose an access level. Grey-box is the default sweet spot; choose white-box for critical systems where thoroughness matters most; choose black-box when you specifically want to measure external exposure.

Not sure which fits? Talk to us and we’ll help you scope it.

Frequently asked questions

Which is better: black-box or white-box testing? add

Neither is universally better. Black-box simulates an external attacker with no inside knowledge; white-box is more thorough and finds more issues per hour because the tester has full information. Grey-box is the common middle ground and usually the best value.

What is grey-box penetration testing? add

Grey-box testing gives the tester partial knowledge — typically standard user credentials and some documentation — simulating an attacker who has gained a foothold or a malicious insider. It balances realism with efficiency.

Do we need all four types (web, mobile, infrastructure, Active Directory)? add

Only the ones that match your attack surface. A SaaS company usually needs web and API testing; an enterprise with on-premise systems also needs infrastructure and Active Directory testing.

Have a system that needs testing?

> Get_in_touch