Skip to main content

Overview

Black box testing examines your application without any knowledge of its internal systems — simulating an external attacker’s perspective. CodeAnt’s black-box pentest is zero-traffic: it discovers your public internet surface through passive intelligence (certificate transparency logs, DNS, and infrastructure fingerprinting) rather than sending active attack traffic, then reports the exposure an outside adversary would find.

Key Features

  • External attacker simulation: No credentials, no source code — only what’s reachable from the public internet.
  • Zero-traffic reconnaissance: Passive intelligence gathering keeps the scan non-intrusive.
  • Domain-scoped: Runs only against domains your organization owns and has verified.
  • Attack surface mapping: Surfaces subdomains, exposed services, technologies, and cloud infrastructure.
  • Severity-ranked findings: Each finding is classified critical / high / medium / low with reproduction detail and a live status.

How It Works

1

Start a request

Open the Pentesting page and provide your contact details (name, email, organization), then choose Black Box Testing as the testing type.
2

Add and verify domains

Add each domain you want tested. Every domain must be verified so CodeAnt knows you have permission to scan it (see below). You can add specific areas of concern — for example authentication, data encryption, or API security — in the Specific Security Concerns field.
3

Submit and wait

Submit the request. The pentest runs in the background — usually a few hours, up to 48 hours. You can leave the page; the report will be waiting when you return.
4

Review the report

Open the completed report to walk through discovery, attack surface, infrastructure, and the detailed findings.

Domain verification

Because a pentest targets live systems, CodeAnt only scans domains your organization has proven it owns. Verify each domain using one of:
  • DNS record — add the provided CNAME or TXT record to your DNS.
  • File hosting — host the provided verification file on the domain.
Domains that match your login email address are auto-verified. Verifying an apex domain also covers its subdomains.

Reading the report

A completed black-box report is organized into sections:
SectionWhat it covers
DiscoveryReconnaissance phases — certificate-transparency log mining, DNS resolution, and infrastructure fingerprinting — all gathered passively.
Attack SurfaceCategorized, severity-ranked exposure discovered from the outside.
InfrastructureDetected technology stack and cloud providers.
Email SecurityYour email security posture and grade.
FindingsDetailed vulnerabilities with severity, live status (open / reopened / fixed / unverified), reproduction steps, evidence, and impact.
After remediating, you can reverify findings to confirm the fix; CodeAnt tracks the verification history for each one.

Credits

Your first pentest is free. Additional runs cost 1 credit each. In a locked report, critical and high findings have their evidence, targets, and impact hidden — spend 1 credit to unlock every locked finding permanently. Medium and low findings are always visible.

When to use black box testing

Black box testing is the fastest way to answer “what can an attacker find and reach with no inside knowledge?” — with no setup beyond verifying your domains. For deeper, source-aware coverage, pair it with White Box Testing (AI Exploitation), or guide the scan with inside context using the Gray Box approach.