Specify Pentest Details

Describe key details of your Pentest.

Some detail requirements vary by the type of asset.

Our pentests have common requirements for all assets, as well as requirements for specific assets.

Pentest requirements for Web and API assets are identical. However, tests of a Web asset include tests of APIs used to populate content on that asset.

Pentest Details

The Details page of the pentest wizard requests information about:

  • The target environment
  • For cloud providers, if you need their authorization

Common Pentest Requirements

Our pentests share the characteristics listed in this section:

Network Information

Our pentesters send requests from one or more of IP addresses on a Virtual Private Network. We’ll share these addresses when you create an actual pentest.

Environment

We need to know the environment of the pentest asset. The standard options are:

  • Production (Serves end users)
  • Staging (Proposed future production environment)
  • Development (App in work; may not be fully tested)

If you define your environment differently, let us know. Add that information in comments.

Target Environment

Controls

Tell us about how you’ve regulated access to your systems. For example, administrators may set up firewall rules that limit access to specified traffic to reduce the risk of Denial-of-Service attacks.

You could use systems like:

  • Web-Application Firewalls (WAF)
  • IP-based restrictions using allowlists/denylists, or services like iptables.

Rate Controls

If you do have rate controls, include details. For example, you might include details such as:

  • Limit ping messages (ICMP) to 2/second

Cloud Platform Components

If part of your asset resides in the cloud, you may not need a separate cloud asset test. As described in this question, if your asset includes “systems” installed on a cloud, you can include the platform and system name in the text box.

Cloud Platform Details

In some cases, you may need to inform your Cloud provider about tests. For guidance, see our page on Cloud Methodologies.

Additional Guidelines

You may have already addressed these questions when setting up Special Instructions when defining pentest objectives.

You’re welcome to add more information here.

Test Data

Our pentesters need to know about the environment that they’re testing, as well as whether they can find production data on the test system.

Our pentesters also need information on test data. If your apps contain:

  • Personally Identifiable Information (PII)
  • Protected Health Information (PHI)
  • Credit-card holder data (CHD)

Our pentesters take extra care to protect that information.

Some apps support the use of credit cards for purchases. If you provide test credit card numbers, you can share that information in the instructions or in the “Kickoff call.”

Now that you’ve filled in the details, you can start planning the actual pentest.


Last modified November.11.2021