Scoping Questionnaire

Are you interested in a Vulnerability Assessment OR in a Penetration Test? The Difference between the 2 Services: A vulnerability assessment identifies all Network and/or Web Application vulnerabilities. A Penetration test identifies all Network and/or Web Application vulnerabilities plus actively exploiting them in order to gain access like a malicious hacker would.

Vulnerability AssessmentPenetration TestingI would like 2 quotation options to compareDon’t need an external VA or PT

For External Network Level Tests please specify the number of publicly / Internet reachable IP Addresses. Note: An external IP address is an IP address, which is reachable from the Internet (Examples: Servers, firewalls, load balancers, VPN gateways, IoT devices etc.)
.

1 IP2 – 5 IPs6 – 10 IPs11 – 20 IPs21 – 30 IPs31 – 40 IPs41 – 50 IPs51 – 100 IPsup to 254 IPsmore than 254 IPsDon’t need an external VA or PT

If not found in the menu above, please enter the amount of IPs here

For External Web Application Tests please specify the number of publicly / Internet reachable URLs / Websites / Portals? Note: Number of publicly reachable Web Apps / Domain URLs (such as www.xyz.com, mail.xyz.com, vpn.xyz.com etc.)

1 URL / Web App2 – 5 URLs / Web Apps6 – 10 URLs / Web Apps11 – 20 URLs / Web Apps21 – 30 URLs / Web Apps31 – 40 URLs / Web Apps41 – 50 URLs / Web Appsmore than 51 URLs Web AppsDon’t need an external VA or PT

Do you require internal testing? Internal Assessments are against IP addresses and URLs, which are not directly publically available from the Internet (i.e. private IPs such as 192.168.x.x) etc.

YesNo

Do you allow internal testing to be done remotely via VPN access? This eliminates all Travel & expense costs. Alternatively, we can ship a small form factor device to be plugged into your local Network, which allows us to perform Internal Testing remotely. If VPN access is not possible, we will not be able to perform internal testing.

YesNoDon’t need an internal VA or PT

For Internal Network Level Tests, please specify the number of internal IP Addresses? Note: An internal IP address is an IP address, which is not reachable from the Internet (Examples: Local Servers, workstations, local printers and other internal devices.)

1 IP2 – 5 IPs6 – 10 IPs11 – 20 IPs41 – 50 IPs51 – 100 IPsup to 254 IPsmore than 254 IPsDon’t need an internal VA or PT21 – 30 IPs31 – 40 IPs

For Internal Web Application Tests please specify the number of internal Websites / Portals? Note: Number of internal-only reachable Web Apps / Domain URLs (such as intranet applications etc.)

1 URL / Web App2 - 5 URLs / Web Apps6 - 10 URLs / Web Apps11 - 20 URLs / Web Apps21 - 30 URLs / Web Apps31 - 40 URLs / Web Apps41 - 50 URLs / Web Appsmore than 51 URLs / Web AppsDon’t need an internal VA or PT

Do you require Mobile App Penetration Testing? Please specify the number of Mobile Applications? (Example 1 x IOS App, 1 x Android App.) This test is testing only the mobile App itself without backend server(s), API(s) and communication channels.

1 Mobile App2 Mobile Apps3 Mobile Apps4 Mobile AppsMore than 5 mobile appsDon’t need Mobile App testing

If not found in the menu above, please enter the amount of Mobile Apps here

In addition to the Mobile Application Testing, please also specify whether you also want communication relations, backend servers and APIs tested.

YesNoDon’t need Mobile App testing

Do you require Social Engineering (Phishing / Spear Phishing Testing?) Please specify the number of user email accounts to be tested and whether you would like the silver package or the gold package? Silver Package: 1 Phishing mail per user + 1 spear phishing mail per user
Gold Package: Same as silver package + exploit distribution to compromise endpoint

Silver Package (1 – 50 Users)Gold Package (1 – 50 Users)Silver Package (51 – 100 Users)Gold Package (51 – 100 Users)Silver Package (101 – 500 Users)Gold Package (101 – 500 Users)Silver Package (501 – 1000 Users)Gold Package (501 – 1000 Users)Don’t need social engineering testing

Do you require Wireless Penetration Testing? If yes, we will ship a small form factor device, which will connect back to our server farm and the tests can be carried out remotely. Please indicate the number of physical locations where you want the local WiFi infrastructure tested? Our packages are per physical location and include up to 5 Wireless Networks (SSIDs) per site.

1 Location2 Locations3 Locations4 Locations5 LocationsMore than 5 locationsI don’t need Wireless Pen Testing

Was the Environment tested before? If yes, please specify when if possible

Is the test being done for compliance reasons? (i.e. PCI, HIPAA etc.)

In case you have chosen web application testing (either Vulnerability Assessment or Penetration Test), would you like the test to be performed in a black-box or grey-box fashion? Black-box: Unauthenticated testing without any user credentials. Grey-box: Authenticated testing with user credentials (for example SaaS, Portals etc.)

How many pages are contained in each of the URL’s?

How many pages within the web application(s) contain data entry fields or user interaction? (i.e. forms, login pages etc.)

For any Web App / Network testing services: How many systems / applications are hosted with third party provider such as Microsoft Azure or Amazon AWS?

Please specify the testing times as well as the desired time window. For example: Test has to be done between April 1st and April 30th and testing is only allowed during 9am – 5pm EST for example.

Are you interested in a re-test and/or recurring testing options?

Single Test - One time offSingle Test One time off with 1 re-testTwice a year (2 tests per year)Quarterly (4 tests per year)