Test types by knowledge:
Black box (no prior knowledge — simulates external attacker),
White box (full access — most thorough),
Gray box (partial knowledge — balanced). By scope: network, web app, social engineering, physical, mobile, cloud, red team.
Black box: most realistic, time-consuming, may miss internal vulnerabilities. White box: most efficient, highest coverage, requires trust. Gray box: best balance for most engagements. Red team: goals-based, long duration, tests people/process/technology together. Match test type to client's security maturity and objectives.