During scoping for penetration tests, customers often say that they want us to perform the engagement exactly as a bad actor would, with no collaboration from the customer’s IT or security teams and no access to inside information. This is known as a black box penetration test, a methodology we often advise against.
On the surface, this feels counterintuitive. If attackers have zero insider knowledge, wouldn’t we want to simulate the exact same conditions during a penetration test? Yes, however there are two key components to take into account: time and money. A black hat hacker has an unlimited amount of time to devote to breaching an organization. That same organization, on the other hand, generally needs to have a penetration test performed in a 2-4 week time period, as a highly credentialed security consultant can get expensive very quickly. Carve’s white-box approach to penetration testing helps a security consultant get more coverage across your environment in a shorter period of time than a bad actor with unlimited time….