Black box assessments are the most common form of network penetration assessment and are most typical among external network penetration tests and social engineering penetration tests. In a black box assessment, the testers are given very little or no information about the networks or systems they are testing. This particular form of testing is inefficient for most types of web application testing because of the need for credentials in order to test for authenticated vulnerabilities, such as lateral and vertical privilege escalation.

In situations where black box testing is not suitable, there's another approach that exists between white and black box; this is known as gray box.