At Proactive Risk, our Cyber Security Assessments are called CATScan. Think of it like going to the doctor—for your technology systems! We help you find and fix your tech troubles proactively, ensuring your digital health is in tip-top shape.
Every project is unique. We use a set of questions to determine the project's size and necessary resources. Below, we have outlined the most common questions as a starting point. Additional questions may be needed to provide a comprehensive Master Services Agreement (MSA) and Work Order (WO) tailored to your desired outcome. Please contact us for more information when you are ready to proceed. |
External Penetration Testing
Internal Penetration Testing
Social Engineering Campaign
Web Application Assessment
Mobile Application Assessment
Web Application Assessment with Mobile App
AWS Configuration Review
Azure/Microsoft365 Configuration Review
Wireless Assessment
- Active Hosts/IPs: Please provide the approximate number of active hosts/IPs exposed to the internet across office, datacenter, and cloud infrastructure.
- Testing Restrictions: Are there any day/time restrictions for the testing?
- Reporting Requirements: We normally provide a single report with an executive summary, technical details, and third-party attestation. Do you have any additional reporting requirements for this project?
- Deadlines: Are there any specific deadlines for project execution and report delivery?
- Security Controls: Are there any existing security controls (e.g., WAF, IDS/IPS) that we should be aware of?
Internal Penetration Testing
- Internal Environment Size: Please provide the approximate size of the internal environment across all offices, datacenters, and cloud infrastructure, including the number of network-connected systems (endpoints, servers, infrastructure). Approximate numbers are acceptable (e.g., 100, 250, 500, 2000).
- Number of Employees: How many employees are there in the organization?
- Testing Restrictions: Are there any day/time restrictions for the testing to be conducted?
- Reporting Requirements: We normally provide a single report with an executive summary, technical details, and third-party attestation. Do you have any additional reporting requirements for this project?
- Onsite Requirement: Our standard engagement is performed remotely via a supplied virtual machine or hardware. Please specify if onsite presence is a requirement for this project.
- Deadlines: Are there any specific deadlines for project execution and report delivery?
- Security Policies: Are there any internal security policies or procedures we should be aware of?
Social Engineering Campaign
- User Count: Please provide the approximate number of users that would be part of the campaign(s).
- Campaign Types: Would you like to use multiple types of campaigns for different departments?
- Phone-Based Campaign: Would you like to include a phone-based social engineering campaign?
- Target Discovery: Would you like us to do target discovery, or will a target list be provided?
- Specific Scenarios: Are there any specific scenarios or high-value targets you want to focus on?
Web Application Assessment
- Application Details: Please provide the name and, if available, the URL of the application.
- Functionality Description: Please provide a brief description of the application's core functionality, target users, and their capabilities.
- User Input Pages: Approximate number of user input pages.
- User Types: How many different user type profiles exist within the application (e.g., standard user, client admin, site admin)?
- Public APIs: Are there any publicly facing APIs? If so, can you provide API documentation? If not available, then an approximate number of API endpoints.
- Testing Restrictions: Are there any day/time restrictions for the testing?
- Source Code/Logs: Can access be provided to the application source code and/or logs? While not required, access to code and logs can improve coverage and accuracy of the assessment.
- Reporting Requirements: We normally provide a single report with an executive summary, technical details, and third-party attestation. Do you have any additional reporting requirements for this project?
- Specific Standards: Does this application require an OWASP ASVS Cloud Application Security Assessment?
- Deadlines: Are there any specific deadlines for project execution and report delivery?
Mobile Application Assessment
- Application Details: Please provide a brief description of the application's core functionality, target users, and their capabilities.
- User Types: How many different user type profiles exist within the application (e.g., standard user, client admin, site admin)?
- Public APIs: Public API information – application API documentation the mobile app uses, if available, or the number of API endpoints.
- Mobile Platform: What is the mobile application platform (iOS and/or Android)?
- Certificate Pinning: Does the application use certificate pinning? If so, can a debug build be provided to allow for data transmission analysis?
- App Build: Can you provide an application build outside of the native app store (APK/IPA application file for Android and IPA build for x86 iOS simulator)?
- Reporting Requirements: We normally provide a single report with an executive summary, technical details, and third-party attestation. Do you have any additional reporting requirements for this project?
- Deadlines: Are there any specific deadlines for project execution and report delivery?
Web Application Assessment with Mobile App
- Application Details: Please provide the name and, if available, the URL of the application.
- Functionality Description: Please provide a brief description of the application's core functionality, target users, and their capabilities.
- User Input Pages: Approximate number of user input pages.
- User Types: How many different user type profiles exist within the application (e.g., standard user, client admin, site admin)?
- Public APIs: Are there any publicly facing APIs? If so, can you provide API documentation? If not available, then an approximate number of API endpoints.
- Testing Restrictions: Are there any day/time restrictions for the testing?
- Source Code/Logs: Can access be provided to the application source code and/or logs? While not required, access to code and logs can improve coverage and accuracy of the assessment.
- Mobile Platform: What is the mobile application platform (iOS and/or Android)?
- Certificate Pinning: Does the application use certificate pinning? If so, can a debug build be provided to allow for data transmission analysis?
- App Build: Can you provide an application build outside of the native app store (APK/IPA application file for Android and IPA build for x86 iOS simulator)?
- Reporting Requirements: We normally provide a single report with an executive summary, technical details, and third-party attestation. Do you have any additional reporting requirements for this project?
- Deadlines: Are there any specific deadlines for project execution and report delivery?
AWS Configuration Review
- AWS Accounts: How many AWS accounts are in scope?
- Account Management: Are you using AWS Organizations (ORGs) or is there another way these accounts are centrally managed?
- EC2 Instances: Approximately how many EC2 instances within each tenant?
- IAM Roles: How many IAM roles exist across all accounts?
- VPCs: How many VPCs within each tenant?
- Custom IAM Roles: Approximately how many custom IAM roles are in scope?
- Public IPs: How many public-facing IPs are there?
- Serverless/API Services: Are you utilizing AWS API Gateway, Lambda, Cognito, ECS, or any other AWS "serverless"/API offering?
- RDS Instances: Are there any RDS instances (AWS managed database)?
- Reporting Requirements: Are there any specific deadlines for project execution and report delivery?
Azure/Microsoft365 Configuration Review
- Tenants: How many Azure/Microsoft365 tenants are in scope?
- Licenses: Please provide the type and approximate number of Azure/Microsoft licenses in use within each tenant.
- Infrastructure: Apart from Azure AD, is there any infrastructure in use within the Azure tenant? If so, please provide details.
- Reporting Requirements: Are there any specific deadlines for project execution and report delivery?
Wireless Assessment
- Physical Locations: Provide a listing of all physical locations that are in scope for the wireless physical test. For each location, please include:
- Address or city, state.
- Type (office building, factory, campus, plant).
- Approximate size in square feet, number of floors, etc.
- Approximate number of employees at the location.
- Number of SSIDs at the location.
- Testing Restrictions: Are there any day/time restrictions for the testing?
- Reporting Requirements: Are there any specific deadlines for project execution and report delivery?
- Security Policies: Are there any internal security policies or procedures we should be aware of?