Penetration Testing Quote Request

Company Contact Details

Please enter your company and contact details below. Once we've received your enquiry we will contact you with 24 to 48 business hours to collect any additional information if required and provide you with a quote to meet your penetration testing requirements.

Penetration Test Scoping ChecklistDetails below are optional,
we will contact you to confirm scoping details.

The following checklist is intended to gather the information required to scope a Penetration Test of infrastructure and/or applications. Should you have any questions in regards to any of the questions below, give us a call on 1800 816 044 or email


Is PCI DSS the driver for this Penetration Test?

(Specific testing is required for PCI DSS compliance)

Penetration Test or Vulnerability Assessment

A Vulnerability Assessment involves the identification of potential vulnerabilities in systems and applications using both automated tools and manual testing.

A Penetration Test starts with a Vulnerability Assessment but also includes validation of vulnerabilities by attempting to exploit them with further manual testing.

Penetration Testing provides a more thorough test of systems and applications. (For PCI DSS compliance – Annual Internal and External Penetration Testing is required as well as quarterly Internal Vulnerability Scanning and quarterly ASV (external) scanning.)

Application or Infrastructure

Is testing to be performed against infrastructure, applications or both?

Both will provide the highest level of security validation. (For PCI DSS compliance – Both are required)

Internal or External

Is testing to be performed against external systems which are internet accessible or internal ­systems and applications on your internal network (accessed via a VPN or on-site)

(For PCI DSS compliance – Both are required)

Internal Segmentation

Validation of the effectiveness of internal network segmentation on internal firewall(s), where the internal network has multiple segments.

(For PCI DSS compliance – This is required if segmentation in place to reduce PCI scope.)

Black Box or White Box

A Black Box test is performed with no information regarding the environment provided, other than URLs and IP ranges.

For White Box testing, details of the environment such as Network diagram, OS types, applications and logon details are provided.

(For PCI DSS compliance – White Box is required.)

Social Engineering

Are Social Engineering tests required?

Social engineering is attempting to exploit people to gain access to systems and applications.

(Not required for PCI DSS)

Denial of Service

Are Denial of Service tests required?

Generally "No" as DOS testing can impact systems, website performance and availability

Client Requirements

Do you have any constraints for start and/or completion dates?

Outside of working hours

Do you have a requirement that testing be performed outside normal working hours?

Vulnerability Assessment and Penetration testing will not normally impact website performance or availability.

Reporting Format

Do you have any specific reporting requirements?


Is there to be an allowance made for re­testing of the system after remediation?

(Generally "Yes" for PCI DSS)

Internal Testing Access

If Internal testing is required, will access be provided via a VPN or is testing to be performed on­site?

Scale - Ranges

What range of IP addresses are required to be tested?

Scale - Hosts

How many hosts or devices are to be tested?

(For PCI DSS compliance - all elements of the CDE to be covered so count all internet facing elements and all network security zones in the CDE. Count separately by external addresses and internal devices and network zones.)

Applications in scope

Please list below the applications that are in scope for testing. For PCI DSS compliance, all applications that store, transmit or process cardholder data are in scope. Applications that access systems or databases storing cardholder data should also be tested. See the glossary below the applications forms for details of the different form areas.

Glossary of Applications Form Terms
Application Name
Application name as it is known in your organisation. This may be a commercial name.
For browser based applications, the URL that is used to access the application.
For non browser based applications, type of application. (eg. Mainframe 3270 application)
What functions are performed by the application. (eg. Reservation bookings and payments)
Internet Facing / Internal
Is the application accessible from the internet, or only accessible to internal users. (VPN users are considered internal)
Authenticated / Unauthenticated
Authenticated - Access credentials (userids and passwords for various levels) will be provided. (Required for PCI DSS). Unauthenticated - Access credentials will not be provided.
Commercial / Custom
Is this a commercial application, or one custom developed for your organisation.
OS and Language
What operating system is the application running on. What language is the application written in. (if known)
Size - No. Pages
How many pages are there in the application. (approximate number)
Size - Input Field
How many input fields are there in the application. (approximate number). Alternatively are you able to provide remote access credentials to allow our penetration
Submit your request

Please check all the provided information to make sure everything is correct so that our quotation is as accurate as possible. Once your ready to send your request click the button below. If there are any errors on submission you will be required to correct them before the request can be re-submitted.