Black box vs white box vs grey box testing

Black box, white box, and grey box describe how much of the internal code a tester can see. Each view finds a different class of problem.

By Quality AboveAll · June 20, 2026 · 7 min read

Close-up of code on a screen during a debugging session
TL;DR

Black box tests behaviour without seeing code, white box tests the code itself, and grey box mixes both for practical coverage.

The one thing that separates them

All three are testing techniques. The difference is visibility: how much the tester knows about the internal structure of the software.

  • Black box: the tester sees inputs and outputs only, not the code.
  • White box: the tester sees the source code and internal logic.
  • Grey box: the tester sees some internals, such as the database schema or an API contract, but not all the code.

Black box testing

In black box testing, you treat the software as a sealed unit. You give it an input, observe the output, and check it against the expected result. You do not care how the code works inside, only whether the behaviour is correct.

This matches how a real user experiences the product, which makes it strong for functional and acceptance testing. It is the natural style for manual testing and for exploratory and UAT sessions. The limit is that a black box test can miss dead code or an untested internal branch, because you cannot see the paths you never triggered.

White box testing

White box testing opens the code. The tester designs cases based on the actual logic: every branch, loop, and condition. The goal is coverage of the internal paths, not just the visible behaviour.

This is where unit tests and code-level checks live. It catches logic errors, unreachable code, and untested conditions that a black box view would never reach. The trade-off is that it needs programming skill and time, and a passing white box suite still does not prove the feature solves the user problem.

White box proves the code runs every path. Black box proves the product does the right thing. You usually want both.

Grey box testing

Grey box sits in the middle. The tester knows some internal detail, enough to design smarter tests, but still checks behaviour from the outside. A common case is API and contract testing, where you know the request and response shape and the data model, but you test the endpoint as a service.

Grey box is efficient because partial knowledge lets you target risky areas without reading every line. It is a practical default for integration-level work.

A concrete example

Take a login form. A black box test enters a valid and an invalid password and checks the result. A white box test inspects the authentication function and writes cases for each branch, including the lockout counter and the null-password path. A grey box test knows the API returns a token and a user role, so it checks that a failed login never returns a valid token.

  • Choose black box for user-facing behaviour and acceptance.
  • Choose white box for logic-heavy modules and unit coverage.
  • Choose grey box for APIs, integrations, and data-aware checks.

One honest caveat: no single technique is complete. High code coverage does not guarantee correct behaviour, and passing black box cases does not guarantee clean internals. Frameworks such as Playwright and Selenium support black and grey box work, while the ISTQB glossary defines the terms precisely.

At Quality AboveAll, senior testers pick the technique that fits the risk, not the one that fills a report. If you want help mapping the right mix for your product, book a free 30-minute testing audit.

Senior-led QA,embedded in your workflow.

Often less than one full-time hire. Book a free 30-minute testing audit and we'll show you exactly where the risk is hiding.

Let’s Talk
Quick question or project brief, we respond within 24 h.
Message sent! We’ll be in touch shortly.