What are closed box and open box tests?

A closed box test (formerly black box test) is typically defined as a test where the penetration testers do not receive more information than attackers without internal knowledge would have. The idea is to find out how far potential attackers can get without any internal information.

In contrast, an open box test (formerly white box test) means that knowledge about the systems to be tested is provided in full (such as network diagrams or source code of web applications). Additionally, it may involve providing permissions, such as a user account similar to those owned by employees in the corporate network, or access credentials for a web application similar to those owned by regular customers.

When only partial information is disclosed, it is often referred to as a grey box test. These different forms of penetration tests only differ in the evidence provided during the test that attackers can independently obtain certain information. An explanation of the information required by RedTeam Pentesting can be found in this FAQ.