External Penetration Test – Scoping Form

Contact Person: *

Please provide the name of the contact person responsible for the project.

Email: *

Please provide the email address of the project contact person.

Customer: *

Please provide the full legal company name.

When is the planned implementation date / project start date? *

Please specify the period as specifically as possible.

Is the penetration test part of a certification or regulatory audit? *

Please specify the exact certification(s).

Where should the penetration test be carried out? *

Remote
On site

With a remote test, the test is conducted from the tester’s premises. During the test period, the tester is available to answer questions via phone, email, or Slack.
With an on-site test, the tester comes to your premises and uses your infrastructure. The tester is then available on-site for the duration of the project. Selecting “on-site” automatically results in a daily travel allowance.

How should the penetration test be carried out? *

Black-Box
Gray-Box

Black box: The test is conducted without any additional information. The tester independently obtains all information (e.g., documentation, accounts, etc.) about the target systems (with the exception of the scope). This best simulates an attacker from the internet.

Gray box: The test is conducted with the help of provided accounts, documentation, and a contact person for questions. This leads to more efficient use of project time, as time for research can be saved.

Is there a test environment on which the penetration test can be performed? *

A separate test environment is generally recommended, but not mandatory. In production environments, additional measures are taken to reduce the denial-of-service (DoS) risk. Depending on the complexity of the infrastructure, reserve days of buffer time are included, which are converted into test days when not in use.

Are there any restrictions regarding the trial period? *

Penetration testing in production environments can always lead to unwanted side effects such as availability issues. These are generally avoided wherever possible. However, if you are using particularly sensitive applications (in terms of availability), please state any restrictions regarding the test period, such as times of day or days of the week. Please note that restrictions to weekends or night shifts will result in a surcharge.

How large is the *external* infrastructure to be tested? *

Please specify the size of the network to be analyzed as precisely as possible. IP ranges (IPv4 and IPv6) can be combined to form subnets. Please also specify all domains to be tested. If you want to test all subdomains of a specified domain, please specify a wildcard domain such as *.customer.com.

Is the infrastructure protected by a web application firewall? *

Please only specify the manufacturer(s) of the firewall solution(s). Specific version information is not necessary.

Are there (web) applications that offer an authenticated area? *

Please list all (web) applications within the scope of your study that offer an authenticated area. For each application, add a short use case describing the type of application and its intended use.

Would you like a presentation of results after project completion? *

Yes, remote.
Yes, on site.
No

An on-site presentation of results (usually one day) results in a one-time travel fee for the day of the presentation.
A remote presentation of results is held via Zoom conference. Travel costs are waived in this case.

Should the penetration test be repeated regularly? *

No, it’s just a one-time test.
Monthly
Quarterly
Yearly

Further requests and comments: