There are several types of pentests, and the term "scope" refers to the specific assets (e.g., applications, internal and/or external network ranges) that need to be tested to achieve the agreed-upon objectives. The differences between the types are mainly related to the (technical) information provided in advance. Unfortunately, no unambiguous definitions are applied in the industry. We use the following definitions:
Black box pentest
Without (provided) credentials and/or technical information (e.g., documentation).
Grey box pentest
With credentials for one or more user roles and/or technical information (e.g., documentation).
A scenario-based pen test and the scenario that login credentials are obtained (assumed breach) by a successful social engineering attack (such as phishing), for example, also qualifies as gray box perspective.
White box pentest
With access to configuration and/or source code to support the assessment. Usually combined with credentials for one or more user roles and/or detailed (design) documentation.
Why you should pentest
A pentest provides valuable insights into the security posture, improvement opportunities, technical imperfections and risks. However, the increase in security remains dependent on the follow-up of the results. The gain is usually the highest when there is intrinsic motivation. A mature information security policy includes periodic security testing.
In addition, security testing may be a contractual obligation or mandated by applicable laws and regulations. For example, the Payment Card Industry Data Security Standard (PCI DSS) applies to websites that independently process creditcard data.