In a black box penetration test, no information is provided to the tester at all. The pentester in this instance follows the approach of an unprivileged attacker, from initial access and execution through to exploitation. This scenario can be seen as the most realistic, proving how an adversary with no inside knowledge would target and compromise an organization.
However, due to the extended amount of time required to research the target, black box test is one of the costly options available. Grey Box
Grey box tests strike a balance between depth and efficiency and can be used to simulate either an insider threat or an attack that has breached the network perimeter. In a grey box penetration test, only limited information is shared with the tester such as unprivileged login credentials and/or IP address of the target. Grey box testing is often favored by customers as the best balance between efficiency and authenticity
, stripping out potentially time-consuming reconnaissance. White Box
White box penetesting involves sharing full network and system information with the tester, including network maps and credentials. A white box penetration test is useful for simulating a targeted attack on a specific system utilizing as many attack vectors as possible
. Usually this type of a test is helpful at the time of product development to uncover required fixes.