833-847-3280
Schedule a Call

White Box, Gray Box, and Black Box Testing, Oh My

Black box testing

In speaking with many of our clients, MainNerve’s staff has fielded countless questions about the type of penetration testing and approach that will be used, such as black box testing.  Often, clients are uncertain of what they need for their business. We work with them to ensure we are providing the correct services. Our goal is to partner with and keep the clients’ needs first. We are geeks but don’t read minds; we leave that part up to the psychics.

Black Box

For some clients, black box testing simply means external penetration testing.  It’s a phrase often heard in movies, which aren’t always accurate. However, black box testing is an approach where an ethical hacker has no knowledge of the system being attacked.  The goal of black box testing is to simulate an external hacking or cyber warfare attack.   MainNerve would perform reconnaissance, which is often called Open Source Intelligence (OINST), on the company to obtain sensitive knowledge of the networks.  This may take days or weeks for knowledge gathering.  This of course places us in the same role as an unethical hacker.

While this may be more like a real-world attack, the cost will be much higher due to the time it takes gathering data and attempting to brute force a network.  Many clients feel they are getting the best test possible with this approach.  However, MainNerve would like to remind companies that they may be overlooking many vulnerabilities on devices a tester may not have found.  Some attackers will take months attempting to harvest credentials before they get lucky and get into a network.

Gray Box

However, at MainNerve we like to presume that given enough time, a malicious actor would be able to find everything a client owns.  Therefore, we suggest gray box testing instead of black box testing.  We can still test the external network or applications as if we had no knowledge.  Once we verify that we cannot penetrate the firewall(s), we would then have the IPs and URLs in scope to continue testing to ensure you get the best bang for your buck.

White Box

Now you might be asking about the white box testing.  Isn’t gray box testing enough?  White box, or sometimes called crystal box, means we have even more information, like network diagrams or topology of the network.  This is mainly used for PCI testing, as that requires 100% of the network be verified and segmentation checks conducted.  This is more costly for internal network penetration testing, as those devices reside behind a firewall and we will have to ensure one network cannot talk to another network.

If you aren’t sure what you need, we have non-nerds standing by ready and willing to translate ‘geek’ and help you figure it out.  We are your partners in this endeavor, so feel free to call an expert at – 833-847-3280.

Latest Posts

A transparent image used for creating empty spaces in columns
Why Your Penetration Test Severity Ratings Might Be Misleading You, and a Better Way to Think About Them
If you’ve ever received a penetration test report and felt like the severity ratings didn’t quite match your intuition about what was serious, you’re not imagining things. Severity ratings are one of the most consequential parts of any pen test report. Organizations use them to…
A transparent image used for creating empty spaces in columns
How MSPs and IT Consultants Can Add Penetration Testing to Their Practice Without Doing the Testing
If you’re an MSP, an IT consultant, a VAR, or any kind of technology services provider, there’s a good chance your clients are starting to ask about penetration testing. Maybe a cyber insurance carrier required it on the renewal application. Maybe a client received a…
A transparent image used for creating empty spaces in columns
Why We Ask for Your Budget During Scoping and What We Do with It
There’s a moment in almost every scoping conversation where we ask something like, “Do you have a penetration test budget in mind?” And there’s a predictable pause on the other end. We understand why. The assumption most people make is that asking for a budget…
A transparent image used for creating empty spaces in columns
Why We Recommend Running Your Internal Network Test During Business Hours
When clients schedule an internal network penetration test, one of the first questions we hear is some version of: “Can you do it after hours so it doesn’t disrupt anything?” It’s a reasonable instinct. The idea is that running a security test while employees are…
A transparent image used for creating empty spaces in columns
Your IT Guy Is Not Your Security Team
When something goes wrong with the internet connection, a printer won’t connect, or a new employee needs their laptop set up, you call your IT person. They fix it. Problem solved. It’s one of the more satisfying parts of running a business: having someone who…
A transparent image used for creating empty spaces in columns
Why Hackers Love Small Businesses More Than Fortune 500 Companies
There’s a story most small business owners tell themselves about cybersecurity. It goes something like this: hackers are out there targeting banks, hospitals, and major corporations. They’re after the big scores, millions of records, massive ransom payments, headline-grabbing breaches. A small business with 20 employees…
More Posts
contact

Our Team

This field is for validation purposes and should be left unchanged.
Name(Required)
quick links to

Our Services

  • Network Penetration Testing
    •
  • Web Application Penetration Testing
    •
  • API Testing
    •
  • Mobile Application Penetration Testing
    •
  • WiFi Testing
    •
  • Web Application Vulnerability Scanning
    •
  • Security Risk Assessments
    •
    call our security experts 833-847-3280

    833-847-3280

    X-twitter Facebook-f Google Linkedin-in Threads

    Careers

    On Load
    Where? .serviceMM
    What? Mega Menu: Services
    Call
    Visit

    833-847-3280

    201 E Pikes Peak Ave Suite 2025
    Colorado Springs, CO 80903