TL;DR: In a black box pen test, the ethical hacker tests without inside information, such as a remote attacker. In a gray box pentest, the tester is given limited information such as user accounts, which allows for deeper testing. In a white box pentest, the tester has full access to source code and documentation. Most Flemish SMEs choose grey box: it offers the best balance between cost, realism and depth.
Your company is having a penetration test performed, but which type fits your situation? The difference between a black box pen test, grey box pen test and white box pen test is in how much information the tester gets upfront. That choice determines the depth, turnaround time and cost of your test. In this article, we compare the three methods and help you make the right choice.
| Criterion | Black box | Grey box | White box |
|---|---|---|---|
| Prior knowledge tester | None (company name and scope only) | Limited (user account, network topology) | Full (source code, documentation, admin access) |
| Simulated threat | External attacker | Insider or compromised account | Developer or system administrator |
| Realism | Very High | High | Lower (focus on depth analysis) |
| Depth | Shallow to medium | Medium to deep | Very deep (including code analysis) |
| Lead time | Longer (lots of time on exploration) | Optimal (focus on exploitation) | Longer (very data intensive) |
| Cost indication | €3,000 to €15,000 | €3,000 to €12,000 | €5,000 to €20,000+ |
| When to choose | External perimeter testing | Internal resilience validation | Business-critical custom software |
| NIS2 capability | Yes (perimeter check) | Yes (most chosen for compliance) | Yes (critical infrastructure) |
What is a black box pen test?
In a black box pen test, the ethical hacker gets no inside information about your systems. He or she starts completely blank, just as a real external attacker would. The tester begins with reconnaissance: what systems are visible from the Internet, what services are running, and where are possible entry points?
The big advantage is realism. You discover exactly how vulnerable your organization is to an opportunistic outside attack. The downside: if perimeter security holds up, internal vulnerabilities remain undiscovered. Moreover, a significant portion of the testing budget goes into the reconnaissance phase, leaving less time for actual exploitation. A black box test is ideal as an initial perimeter check, but insufficient as a sole test. Also read what the difference is between a pen test and a vulnerability scan.
What is a grey box pen test?
In a grey box pen test, the tester receives limited information: for example, a user account with default privileges, a global overview of the network architecture or a list of IP addresses to be tested. This simulates an attacker who has already gained initial access, such as through a successful phishing attack or a disgruntled employee.
Because the time-consuming exploration phase is largely eliminated, the tester can focus directly on what really matters: lateral movement through the network, escalation of permissions and weaknesses in business logic. Grey box testing offers deeper insights than black box without the added cost of a full white box audit. In the Belgian market, it is by far the most commonly chosen method for annual pen testing.
What is a white box pen test?
In a white box pen test, also known as crystal box or clear box, the tester is given full access to source code, network diagrams, configuration files and administrator accounts. The goal is not to simulate a realistic attack, but to thoroughly analyze systems from the inside for structural weaknesses and logical flaws.
White box testing is the most thorough method. The tester performs static code analysis and identifies complex vulnerabilities that would remain invisible from an external perspective. This makes the method particularly valuable for mission-critical custom software and DevSecOps projects. The downside: costs are higher because of the intensive manual analysis, and realism is more limited because real attackers rarely have that much information.
What type of pen test do you choose?
The choice depends on your specific situation and objective. Use this decision tree as a guide:
Choose black box if you want to know how vulnerable your organization is to an external attack. This is the right choice for an initial perimeter check or when you want to validate your external attack surface.
Choose grey box if you want to test internal resilience, such as against ransomware or a compromised account. This is the preferred method for annual pen testing, NIS2 compliance and testing Web applications or APIs. Most SMEs in Belgium choose this option.
Choose white box if you want to have business-critical custom software or a new application thoroughly vetted. This is the right choice for secure development projects, complex integrations or when every possible vulnerability must be eliminated.
Combine multiple types for the most complete picture. Start with a black box test on the external perimeter, followed by a grey box test on the internal network. Add a white box review for your most important applications. Also check out our guide on choosing a pen testing company and learn more about what a pen test costs in Belgium.
Which pentest type complies with NIS2?
The Belgian NIS2 law requires essential and important entities to take “appropriate and proportionate” measures to manage risks. Penetration testing is a concrete tool to validate the effectiveness of those measures. But which type satisfies?
The short answer: all three types are appropriate, depending on your risk profile. At the Important and Essential levels, the CCB’s CyberFundamentals (CyFun) framework requires that you identify and address vulnerabilities structurally. A grey box pen test is the most common tool for this: it demonstrates that your defenses hold up against a realistic threat scenario, including internal attack paths.
More stringent requirements apply to organizations covered by DORA (financial sector). DORA is introducing Threat-Led Penetration Testing (TLPT), an advanced form performed on live production systems where defenders are unaware of the test.
Unsure which type fits your NIS2 obligations? Then read about how often you should have a pen test performed.
Frequently asked questions about pentest types
Which type of pen test is the cheapest?
A grey box pen test typically offers the best value for money. Because the tester does not have to invest in extensive reconnaissance (as with black box) and does not perform full code analysis (as with white box), the turnaround time is shorter and the cost more predictable. Expect a market range of €3,000 to €12,000 depending on the scope.
Can I combine multiple pentest types?
Yes, and this is even recommended in a full security project. A common approach is a black box test on the external perimeter combined with a grey box test on the internal network. This way you cover both the outside and inside of your security.
Which type does Cyberplan most often recommend?
For most Flemish SMEs, our pentesters recommend a grey box pentest. It offers the best balance between realism and depth. For business-critical custom software, we recommend a white box review, and for an initial security assessment, we often start with a black box perimeter check.
Does NIS2 require a specific type of pen test?
NIS2 does not prescribe a specific type, but it does require you to demonstrably test the effectiveness of your security measures. CCB’s CyFun framework expects a thorough vulnerability analysis at higher levels. A grey box pen test with reporting coupled with CyFun controls is the most commonly used approach for this.
What is the difference between a pen test and a vulnerability scan?
A vulnerability scan is an automated check that identifies known vulnerabilities. A pen test goes further: an ethical hacker actually tries to exploit vulnerabilities and combines vulnerabilities into a realistic attack scenario. Read the full comparison.
Not sure which type suits your situation? Our OSCP-certified pentesters will be happy to advise you. Book a no-obligation introduction or view our pentesting services.
