In order to assist organizations to identify, manage and mitigate information security vulnerabilities and threats, SensePost have 3 primary approaches to assessments.

spot-check

This is a once-off, short engagement, designed to quickly give an organization a snapshot of their security posture. Normally this type of assessment is a pre-cursor to a full-blown assessment.

black-box

This approach is taken to demonstrate the vulnerability status of an organization as seen through the eyes of an anonymous attacker. Minimal prior knowledge of the target is given to the security analyst and the objective is to find and exploit as many vulnerabilities as possible.

The downside to this approach is that the analyst is governed by the time available for the project. This is not a restriction placed on a real life attacker.

In order to negate this restriction SensePost recommend a 'grey-box' approach, which requires an organization to be an active participator in the assessment process. A fair amount of prior knowledge is required to assist the analyst in getting to the real security issues rather than spending the majority of his time doing organizational reconnaissance.

high-assurance

As the name suggests this assessment attempts to give the organization the highest level of security assurance for the environment or application assessed.

This approach is typically used for mission critical applications and comprises of a black/grey box approach together with a source code review, or review of system architecture and policy configurations.