As ethical (white hat) hackers, we emulate an attacker by utilizing similar techniques to perform reconnaissance, identify vulnerabilities, and break into your systems. Unlike an attacker, however, we stop our test before exposing sensitive data or doing harm to your environment. With a Gray Box Penetration Test, we have “user” level knowledge about and access to a system. A Gray Box Penetration Test is typically used when you want to test an insider threat or test an application that supports multiple users. The insider threat is tested to see what damage a user (non-administrator) could do to your environment. Application testing is used to test authenticated user access to ensure a user on an application cannot access another user’s data or escalate privileges.
A Gray Box Penetration Test is commonly used in the following two scenarios: