IT security audits may be characterized according to the degree of information the testers and the administrators of the systems in scope have when the tests are carried out. Using the black-box approach, the testers do not have any knowledge about the systems to be tested prior to the audit. The objective is to assess vulnerabilities and to exploit them, simulating the perspective of a hacker who starts from scratch. This view reflects the definition of the BSI (M 5.150). In contrast, the OSSTMM equates the black-box test with a “double blind” test.