Overview
Penetration testing puts your application in an attacker’s shoes — probing it the way a real adversary would to surface the vulnerabilities that matter before they reach production. CodeAnt AI offers penetration testing across the three classic methodologies, distinguished by how much the tester knows about your systems going in.Black Box
No internal knowledge. Simulates an external attacker probing your public internet surface.
Gray Box
Partial knowledge — credentials, architecture notes, or scoped context. A private, scoped
engagement with our team.
White Box
Full internal knowledge, including source code. The most comprehensive coverage.
How the methodologies map to CodeAnt
| Methodology | What it simulates | In CodeAnt |
|---|---|---|
| Black box | An outside attacker with no inside knowledge | The Pentesting feature — domain-scoped, zero-traffic external reconnaissance |
| Gray box | A user or partner with partial access | A private, scoped engagement with the CodeAnt security team — contact us |
| White box | An insider, or full source-code review | AI Exploitation — AI agents read your code and chain vulnerabilities into real attack paths |
Credits
Your first pentest is free to run. After that, each run uses 1 credit, and a credit also permanently unlocks the full critical and high-severity findings of an existing report. Medium and low findings are always visible. Credits expire one year after your most recent purchase.Black box pentests only target domains your organization owns and has verified. This proves you have
permission to scan them. See Black Box Testing for how verification works.
Choosing an approach
- Start with black box to see what an external attacker can discover and reach with zero prior knowledge — no setup beyond verifying your domains.
- Use white box (AI Exploitation) for depth on your most sensitive repositories, where reading the source uncovers exploitable paths that black-box probing can’t reach.
- Ask about gray box when you want an insider-style test focused by shared context — for example, a specific authentication flow or partner API. It’s a private engagement; contact us to scope one.