Security assessments and penetration testing may be conducted in many ways and take several different approaches. Each assessment or test is catered to the specific need of the client. This post outlines the differences between internal and external testing. It also defines white box, black box, and gray box testing strategies.


Internal vs. External

Internal and external assessments refer to network and application testing. The specific terminology used refers to the source of the attack, whether on the target network directly (i.e., LAN or WiFi connection) or hitting it from the outside (i.e., public facing websites or data connections).

  • Internal assessments test attacks coming from the inside the organization such as a rogue or naive employee.
  • External assessments test attacks coming from outside the organization.


White Box / Black Box / Gray Box

These penetration testing options define the level of knowledge the tester has provided to them before or during an assessment.

White box – Commonly referred to as an authenticated test or clear box testing, white box testing is conducted with full knowledge of your internal structure. Information shared commonly includes IP addresses and hostnames, system configurations, network diagrams, and specific credentials. This is used to test the internal structure of system components. It may also be used to identify access by individuals in the organization.

Black box – Commonly referred to as an unauthenticated test, black box testing is conducted with no knowledge of your internal structure. Information known beforehand is commonly limited to the company name and domain. This technique closely mimics how an attacker would approach the organization. Black box testing is a slower approach to testing as it relies more on trial and error than prior knowledge.

Gray box – This is the area between white and black box testing where the tester has some knowledge of the internals of the system. The amount of knowledge given is defined before the testing starts and typically includes a list of IP addresses or hostnames to target and applications or version numbers to pay specific attention to. This allows the tester to prioritize and focus their efforts on critical systems in the organization.