2.

Scoping Questionnaire
Scoping Questionnaire
☐ Internal Vulnerability Assessment ☐ External Vulnerability Assessment
☐ Internal Penetration Test ☐ External Penetration Test
☐ Wireless Security Assessment ☐ Application Security Assessment
☐ Physical Security Assessment ☐ Social Engineering Assessment
☐ Red Team Assessment ☐ Web Application Security Assessment
Aside from the assessment type, client name, address, and key personnel contact information, some other critical pieces of information
include:
How many expected live hosts?
How many IPs/CIDR ranges in scope?
How many Domains/Subdomains are in scope?
How many wireless SSIDs in scope?
How many web/mobile applications? If testing is authenticated, how many roles (standard user, admin, etc.)?
For a phishing assessment, how many users will be targeted? Will the client provide a list, or we will be required to gather this list via OSINT?
If the client is requesting a Physical Assessment, how many locations? If multiple sites are in-scope, are they geographically dispersed?
What is the objective of the Red Team Assessment? Are any activities (such as phishing or physical security attacks) out of scope?
Is a separate Active Directory Security Assessment desired?
Will network testing be conducted from an anonymous user on the network or a standard domain user?
Do we need to bypass Network Access Control (NAC)?

Finally, we will want to ask about information disclosure and evasiveness (if applicable to the assessment type):
Is the Penetration Test black box (no information provided), grey box (only IP address/CIDR ranges/URLs provided), white box (detailed information
provided)?

Would they like us to test from a non-evasive, hybrid-evasive (start quiet and gradually become "louder" to assess at what level the client's security
personnel detect our activities), or fully evasive?

Types of Penetration Testing

Type Information Provided
Blackbox Minimal. Only the essential information, such as IP addresses and domains, is provided.
Greybox Extended. In this case, we are provided with additional information, such as specific URLs, hostnames, subnets, and similar.
Maximum. Here everything is disclosed to us. This gives us an internal view of the entire structure, which allows us to prepare an attack using
Whitebox
internal information. We may be given detailed configurations, admin credentials, web application source code, etc.
Red-Teaming May include physical testing and social engineering, among other things. Can be combined with any of the above types.
Purple-Teaming It can be combined with any of the above types. However, it focuses on working closely with the defenders.

Types of Testing Environments

Network Web App Mobile API Thick Clients
IoT Cloud Source Code Physical Security Employees
Hosts Server Security Policies Firewalls IDS/IPS

This information will help us ensure we assign the right resources and deliver the engagement based on the client's expectations. This
information is also necessary for providing an accurate proposal with a project timeline (for example, a Vulnerability Assessment will take
considerably less time than a Red Team Assessment) and cost (an External Penetration Test against 10 IPs will cost significantly less than
an Internal Penetration Test with 30 /24 networks in-scope).

Based on the information we received from the scoping questionnaire, we create an overview and summarize all information in the
Scoping Document.