When attempting to determine the labor and skills needed to "scope" a project we have to ask a summary of questions to determine the size and labor required for the project.

Below are some of the most common questions associated with providing you with proposal for assessment services work. Additional questions maybe required so that we can provide a complete Master Services Agreement (MSA) and Work Order (WO) for the desired outcome.
External Penetration Testing
  1. Please provide approximate number of active hosts/IPs exposed to the internet across office, datacenter and cloud infrastructure.
  2. Are there any day/time restrictions for the testing?
  3. We normally provide a single report with executive summary and technical details as well as third party attestation. Do you have any additional reporting requirements for this project?
  4. Are there any specific deadlines for project execution and report delivery?
 
Internal Penetration Testing
We need to determine size of the internal environment across all offices, datacenters, cloud infrastructure. Approximate number of network-connected systems including, endpoints, servers, infrastructure. Approximate numbers are ok - 100, 250, 500, 2000 etc. Number of employees is also helpful.

  1. Are there any time/day restrictions for the testing to be deliverd?
  2. We normally provide a single report with executive summary and technical details as well as third party attestation. Do you have any additional reporting requirements for this project?
  3. Our standard engagement is performed remotely via CT supplied virtual machine or hardware. Please specify if onsite presence is a requirement for this project.
  4. Are there any specific deadlines for project execution and report delivery?
  
Social Engineering Campaign
We typically test using single scenario email-based social engineering campaign to impersonate business partner or service provider. Goal is to test click rates and entice users to reveal their credentials or authorize application access (OAuth attacks). Singe scenarios are typically not effective against entire company so they should be targeted against specific groups or high value targets. We can also perform multi scenario campaigns against different departments.
  1. Please provide approximate user count that would be part of the campaign(s).  
  2. Would like to use multiple types of campaigns for different departments?
  3. Would you like to include a phone-biased social engineering campaign?
  4. Would you like us to do target discovery or target list will be provided?
 
 
Web Application Assessment
  1. Please provide name and if available the URL of the application.
  2. Please provide brief description of the application functionality - what is the core functionality, who the users are what capabilities exist for these users.
  3. Approximate number of user input pages.
  4. How many different user type profiles exist within the application? (standard user, client admin, site admin etc.).
  5. Are there any publicly facing APIs, if so, can you provide API documentation? If not available, then approximate number of API endpoints.
  6. Are there any day/time restrictions for the testing?
  7. Can access be provided to the application source code and/or logs? While not required, access to code and logs can improve coverage and accuracy of the assessment.
  8. We normally provide a single report with executive summary and technical details as well as third party attestation. Do you have any additional reporting requirements for this project?
  9. Does this application require a OWASP ASVS Cloud Application Security Assessment 
  10. Are there any specific deadlines for project execution and report delivery?
 
Mobile Application Assessment
Please provide brief description of the application functionality - what is the core functionality, who the users are what capabilities exist for these users.
  1. How many different user type profiles exist within the application? (standard user, client admin, site admin etc.).
  2. Public API information – application API documentation mobile app uses if available or number of API endpoints.
  3. What is the mobile application platform IOS and/or Android?
  4. Does application use certificate pinning? If so, can a debug build be provided to allow for data transmission analysis?
  5. Can you provide application build outside of native app store? (APK/IPA application file for Android and IPA build for x86 IOS simulator)
  6. Are there any specific deadlines for project execution and report delivery?
  
Web Application Assessment with Mobile App
  1. Please provide name and if available the URL of the application.
  2. Please provide brief description of the application functionality - what is the core functionality, who the users are what capabilities exist for these users.
  3. Approximate number of user input pages.
  4. How many different user type profiles exist within the application? (standard user, client admin, site admin etc.).
  5. Are there any publicly facing APIs, if so, can you provide API documentation? If not available, then approximate number of API endpoints.
  6. Are there any day/time restrictions for the testing?
  7. Can access be provided to the application source code and/or logs? While not required, access to code and logs can improve coverage and accuracy of the assessment.
  8. What is the mobile application platform IOS and/or Android?
  9. Does application use certificate pinning? If so, can debug build be provided to allow for data transmission analysis?
  10. Can you provide application build outside of native app store? (APK/IPA application file for Android and IPA build for x86 IOS simulator)
  11. We normally provide a single report with executive summary and technical details as well as third party attestation. Do you have any additional reporting requirements for this project?
  12. Are there any specific deadlines for project execution and report delivery?
 

AWS Configuration Review:
These questions only apply to AWS config review with R/O admin privileges given. For external pen test or web application testing in AWS standard pen test webapp questions apply.
  1. How many AWS accounts are in scope?
  2. Are you using AWS ORGs or is there any other way these accounts are centrally managed?
  3. Approximately how many EC2 instances within each tenant?
  4. How many IAM roles exist across all accounts?
  5. How many VPCs within each tenant
  6. Approximately how many custom IAM roles are in scope?
  7. How many public facing IPs
  8. Are you utilizing AWS API Gateway, Lambda, Cognito, ECS, or any other AWS "serverless"/API offering?
  9. Are there any RDS instances (AWS managed database)?
  10. Are there any specific deadlines for project execution and report delivery?
 
Azure/Microsoft365 Configuration Review:
These questions only apply to Azure/Microsoft365 config review with R/O admin privileges given.
1.How many Azure/Microsoft365 tenants are in scope?
2.Please provide type and approximate amount of Azure/Microsoft licenses in use within each tenant.
3.Apart from Azure AD, is there any infrastructure in use within Azure tenant? If so, please provide details.
  1. Are there any specific deadlines for project execution and report delivery?
 
Wireless Assessment:
​Provide listing of all physical locations that are in scope for the wireless physical test. For each location please include:
  • Address or city, state.
  • Type (office building, factory, campus, plant)
  • approximate size in sqft, number of floors etc.
  • approximate number of employees at the location.
  • number of SSIDs at the location
 
© COPYRIGHT 2023. ALL RIGHTS RESERVED.