PEN Consultants Logo
Don’t Be a Victim: Find your weaknesses before the criminals do. PEN Consultants can help!

White Box Approach

A white box approach to testing requires full knowledge and access: 

  • We know everything you know
  • Have access to everything you have access to

Like any reputable firm, we are always going to recommend a white box approach. We still offer black box testing as an option, but you may receive a significantly lower ROI by paying for more hours of reconnaissance and enumeration than necessary.

White box is always going to be a better value. There’s nothing that black box can provide that white box cannot provide - there are no skipped tests, all tests are still performed. We’ve calculated white box to be ~20x more thorough compared to black box in terms of the number and thoroughness of tests that can be performed in the same amount of time, which translates to cost as well. Black box can take twice as long, or even longer, cost twice as much, or more, and is far less thorough.

However, white box requires more preparation and setup on the client side.

Requirements for a white box approach (as applicable) and the associated increase in time/costs if they are not provided:

  • All:
    • Configuring firewalls, WAFs, VLANs, EDRs, etc. to allow unmitigated testing from a whitelisted IP (Note: we will also test from non-whitelisted IPs): +45%
    • Testing credentials/accounts for each role
      • standard user
        • Net: +25%
        • Web: +50%
      • administrator: +15%
        • Net: domain admin. Note: For testing limited to external systems, user credentials are sufficient, with support from client administrators to run necessary commands under domain admin, and reduces this to 10%.
        • Web: application admin
    • IP ranges and domains - the testing scope
      • Net: +20%
      • Web: Must have
    • Password and lockout policies: +15%
    • DNS exports: +10%
    • Architecture diagrams: +5%
    • Log/SIEM access – especially important for web app testing, or if a goal is to validate detection capabilities
      • Net: optional
      • Web: +10%
    • Anything else that could reasonably be gathered by an attacker (given enough time)
  • Networking testing:
    • Importing our internal testing VM, which we call a dropbox
      • Required use of client Windows VDI: +80 hours
      • Required use of client Linux host: +12 hours
    • Remote access to an internal workstation: +15%
    • Email account(s): +10%
  • Web/app testing:
    • Source code - web app, mobile app, etc.: +25%
    • Backend privileged access to servers (ex. via SSH): +20%
    • Access to cloud infrastructure (ex. AWS console and API access): +5%
  • Additional benefits
    • Syncs with the red team (during a purple team approach)
    • Red team knows what blue knows and has been granted access to everything blue has access to

More information about white box vs black box can be found here: https://penconsultants.com/graybox

*The above is a general list of typical items and the testing they apply to. Specifics may vary based on your unique environment.

Copyright © 2024 PEN Consultants. All Rights Reserved. View Sitemap
magnifiercrosschevron-down