Definition:

Black-Box Penetration Testing, often referred to as Black-Box Testing, is a cyber-security practice intended to simulate real-world attacks on networks, software, or systems.

-In this technique, the testers, often called security experts or ethical hackers, have no insights into the code, architecture, or system design.
-They enter the scenario as unauthorized, external users, just like an outsider attempting to breach security.
-The black box pen test is a closed-box or external penetration test.

Characteristics:

1. Independent Test: Black box testing is usually conducted by testers who operate independently of the development team. This guarantees an unbiased perspective and detects glitches developers might miss.
2. Requirements-Driven Test: Testers design test cases based on the software’s specifications without delving into the intricacies of how the code is executed.
3. Functional Evaluation: It aims to confirm whether the software aligns with projected behavior and yields the desired outcomes for multiple inputs.
4. Absence of Internal Code Knowledge: QA’s cannot access the software’s source code, design specifics, or architectural details. Their interactions with the system are solely through its UIs or APIs.

More info: https://www.browserstack.com/guide/black-box-penetration-testing

And for your questions: you can do it yourself, if you have the knowledge to do it inhouse (just always do it on a non-prod instance and make sure ServiceNow is informed about it). About the frequency, I'm not sure. You could reach out to your sales-rep to find out what the policy is on that.