Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
Three engagement types, increasing knowledge given to the tester. Black-box: tester has only what an external attacker would have (a URL). Grey-box: tester has limited internal info (user credentials, network diagrams). White-box: tester has source code, architecture, internal docs. White-box finds more bugs faster; black-box is more realistic; grey-box is the typical commercial engagement.
Choosing: 'we want to know what an external attacker would find in 5 days' → black-box. 'We want maximum coverage in 5 days' → white-box. 'We want both realistic and broad' → grey-box (some white-box info, some black-box discovery).
Use these three in order. Each builds on the one before.
In one paragraph, contrast black/grey/white-box pentesting.
Walk me through choosing engagement type for a specific product.
Design a multi-phase engagement combining all three approaches.