Grey-box penetration testing (also spelt gray-box) is an engagement model in which the tester is given partial information about the target before testing begins. The information typically includes user credentials at different privilege levels, network diagrams, application architecture documents, or limited source code access. Grey-box sits between black-box, where the tester receives no internal information, and white-box, where the tester has full access to documentation and code.
What gets shared
Typical shared assets include: low and standard-user credentials so authentication can be tested without consuming time on enumeration; high-level architecture diagrams showing trust boundaries; API documentation; descriptions of any custom authentication or authorisation logic; and access to staging or test environments where destructive testing is safe. Source code is sometimes shared selectively for high-risk components.
When grey-box is the right choice
Grey-box is the most common engagement model for web and mobile application testing. It allows the tester to spend their limited time on the deeper, more valuable work (authorisation, business-logic flaws, multi-step exploitation) rather than on reconnaissance and account creation. It also produces more reliable coverage than black-box because the tester can test every user role rather than only what they happen to discover.
Comparison with other models
Black-box simulates an external attacker with no insider knowledge. It is realistic but inefficient: a significant portion of the engagement is consumed by reconnaissance that an experienced tester could skip given context. Black-box is appropriate when the client wants to model a specific attacker scenario or measure the effectiveness of perimeter detection.
White-box gives full access to source code, design documents, and administrator credentials. It produces the deepest review per hour because the tester can read the code that implements a function instead of inferring behaviour from outputs. It is the right choice for new-build assurance and for high-risk components, but is more expensive because of the broader scope.
Related terms
See also: white-box penetration testing, penetration testing, and penetration tester.
Leave a Reply