IT security audits may be characterized according to the degree of information the testers and the administrators of the systems in scope have when the tests are carried out. The objective of the white-box test is to simulate an attack with insider information. The testers obtain all information of the systems to be audited in detail. This view reflects the definition of the BSI (M 5.150). In contrast, the OSSTMM equates the white-box test with a “double gray box” test (see also grey box).