Penetration Test Scoping Checklist

Our aim is to identify weaknesses in your security system – before hackers do. Taking advantage of security issues is a known way for hackers to attempt to access your systems. Vectra will find these weaknesses to ensure hackers don’t have access to your data.

The following checklist is intended to gather the information required to scope a Penetration Test of infrastructure and/or applications.

Security Notice: This data is securely stored on an internal web server, which is protected by a secure firewall, and monitored by our SOC. It is only accessible by approved Vectra staff members.

Penetration Testing Quote

Organisation Name *

First Name *

Last Name *

Contact Telephone *

Contact Email *

Requirement

Driver *

Is PCI DSS the driver for this Penetration Test? (Specific testing is required for PCI DSS compliance)

Testing

Penetration Test or Vulnerability Assessment *

A Vulnerability Assessment involves the identification of potential vulnerabilities in systems and applications using both automated tools and manual testing. A Penetration Test starts with a Vulnerability Assessment but also includes validation of vulnerabilities by attempting to exploit them with further manual testing. Penetration Testing provides a more thorough test of systems and applications. (For PCI DSS compliance – Annual Internal and External Penetration Testing is required as well as quarterly Internal Vulnerability Scanning and quarterly ASV (external) scanning.)

Application or Infrastructure *

Is testing to be performed against infrastructure, applications or both? Both will provide the highest level of security validation. (For PCI DSS compliance – Both are required)

Internal or External *

Is testing to be performed against external systems which are internet accessible or internal systems and applications on your internal network (accessed via a VPN or on-site) (For PCI DSS compliance – Both are required)

Internal Segmentation *

Validation of the effectiveness of internal network segmentation on internal firewall(s), where the internal network has multiple segments. (For PCI DSS compliance – This is required if segmentation in place to reduce PCI scope.)

Black Box or White Box *

A Black Box test is performed with no information regarding the environment provided, other than URLs and IP ranges. For White Box testing, details of the environment such as Network diagram, OS types, applications and logon details are provided. (For PCI DSS compliance – White Box is required.) (For PCI DSS compliance – This is required if segmentation in place to reduce PCI scope.)

Social Engineering *

Are Social Engineering tests required? Social engineering is attempting to exploit people to gain access to systems and applications. (Not required for PCI DSS)

Denial of Service *

Are Denial of Service tests required? Generally 'No' as DOS testing can impact systems, website performance and availability

Client Requirements

Scheduling

Do you have any constraints for start and/or completion dates?

Outside of working hours *

Do you have a requirement that testing be performed outside normal working hours? Vulnerability Assessment and Penetration testing will not normally impact website performance or availability.

Reporting

Re-testing *

Is there to be an allowance made for retesting of the system after remediation? (Generally "Yes" for PCI DSS)

Infrastructure

Internal Testing Access

If Internal testing is required, will access be provided via a VPN or is testing to be performed onsite?

Scale - Ranges

What range of IP addresses are required to be tested?

Scale - Hosts

How many hosts or devices are to be tested? (For PCI DSS compliance - all elements of the CDE to be covered so count all internet facing elements and all network security zones in the CDE. Count separately by external addresses and internal devices and network zones.)

Applications in Scope

Please list below the applications that are in scope for testing. For PCI DSS compliance, all applications that store, transmit or process cardholder data are in scope. Applications that access systems or databases storing cardholder data should also be tested. See the glossary below the applications forms for details of the different form areas.

Applications

Application Name

URL or Type if not browser based

Function

Access Type

User Access

Application Type

Operating System and Language

Size - Number of Pages

Size - Input Fields

reCAPTCHA

Add another Application Remove this Application

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Penetration Test Scoping Checklist

Engage a leader in penetration testing to ensure your business is protected against security threats.

Requirement

Testing

Client Requirements

Infrastructure

Applications in Scope

Applications

Summary

Contact Vectra

Penetration Test Scoping Checklist

Engage a leader in penetration testing to ensure your business is protected against security threats.

Requirement

Testing

Client Requirements

Infrastructure

Applications in Scope

Applications

Summary

You might also be interested in:

Contact Vectra