PenTest – Overview

Penetration Test 
Perform a Penetration Test tailored specifically for client’s business environment as detailed in the client questionnaire. Testers will use multiple tools and techniques to simulate an attack on systems without causing a destructive or denial of service (DoS) condition. Penetration testing goals are to identify, and then verify application or operating system vulnerabilities, as well as security configuration weaknesses that can give an attacker a foothold in the environment.  

All testing will be done remotely so no other expenses are anticipated during this phase.  

Scope 
– External: up to X devices 
– Internal: up to X devices 
– Web App: unauthenticated and authenticated web application testing using up to X user roles  

Activities 
– Reconnaissance and device discovery 
– Automated network and application vulnerability scanning 
– Manual verification of findings to reduce false positives 
– Manual exploitation techniques to simulate realistic hacker activity and identify systems or data that are at risk of compromise   

Requirements 
– Testing windows will be set by the end client 
– Any required internal testing will be conducted through an approved VPN connection 
– Prior approval for any hosted systems is required before the start of testing 

Deliverables 
– Single point of contact (Project Manager) for all tasks and deliverables 
– Final Assessment Report describing identified vulnerabilities, and recommendations for remediations  
Remediation Validation Test 
Scope includes a re-test of all high and medium level vulnerabilities that were identified in the initial assessment

Activities 
– Perform re-testing as needed to validate the corrective actions remediated the initial vulnerabilities 
– Re-Testing can only be scheduled once all remediations are completed  

Deliverables 
Updated Final Assessment Report showing remediated items