> ## Documentation Index
> Fetch the complete documentation index at: https://docs.codeant.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Penetration Testing

> Black box, gray box, and white box penetration testing with CodeAnt AI.

## Overview

Penetration testing puts your application in an attacker's shoes - probing it the way a real
adversary would to surface the vulnerabilities that matter before they reach production. CodeAnt AI
offers penetration testing across the three classic methodologies, distinguished by **how much the
tester knows about your systems going in**.

<CardGroup cols={3}>
  <Card title="Black Box" icon="user-secret" href="/pentesting/black_box">
    No internal knowledge. Simulates an external attacker probing your public internet surface.
  </Card>

  <Card title="Gray Box" icon="circle-half-stroke" href="/pentesting/gray_box">
    Partial knowledge - credentials, architecture notes, or scoped context. A private, scoped
    engagement with our team.
  </Card>

  <Card title="White Box" icon="box-open" href="/pentesting/white_box">
    Full internal knowledge, including source code. The most comprehensive coverage.
  </Card>
</CardGroup>

## How the methodologies map to CodeAnt

| Methodology   | What it simulates                            | In CodeAnt                                                                                                |
| ------------- | -------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
| **Black box** | An outside attacker with no inside knowledge | The **Pentesting** feature - domain-scoped, zero-traffic external reconnaissance                          |
| **Gray box**  | A user or partner with partial access        | A **private, scoped engagement** with the CodeAnt security team - [contact us](mailto:support@codeant.ai) |
| **White box** | An insider, or full source-code review       | **AI Exploitation** - AI agents read your code and chain vulnerabilities into real attack paths           |

## Credits

Your **first pentest is free to run**. After that, each run uses **1 credit**, and a credit also
permanently unlocks the full critical and high-severity findings of an existing report. Medium and
low findings are always visible. Credits expire one year after your most recent purchase.

<Note>
  Black box pentests only target domains your organization owns and has verified. This proves you have
  permission to scan them. See [Black Box Testing](/pentesting/black_box) for how verification works.
</Note>

## Choosing an approach

* **Start with black box** to see what an external attacker can discover and reach with zero prior
  knowledge - no setup beyond verifying your domains.
* **Use white box (AI Exploitation)** for depth on your most sensitive repositories, where reading
  the source uncovers exploitable paths that black-box probing can't reach.
* **Ask about gray box** when you want an insider-style test focused by shared context - for example,
  a specific authentication flow or partner API. It's a private engagement; [contact
  us](mailto:support@codeant.ai) to scope one.
