Company Name
Company Address
Company Website
Point of Contact: Name
Point of Contact: Email
If compliance is driving the scope of your project, please specify which framework(s) or regulatory bodies:
When would you like the testing to begin and conclude? We generally would require at least a week notice to schedule a pen test.
Are there any blackout dates or times when testing should NOT occur?
NOTE: Only complete this section if you want us to perform Web Application and/or API Penetration Testing.
How many estimated application(s) and/or APIs are going to be tested? Please, list ALL applications and APIs that need to be tested.
If you have an API that you'd like to be tested please provide a number of endpoints in your API and the type of the API (REST, GraphQL, etc) and type of methods (POST, GET, etc) for each endpoint.
Can you share the high-level functionality / key components or other relevant information?
Which assessment method would you prefer to be done?
General difference between assessment methods are:Blackbox: Pen testing is done without credentials. The test is shorter and the expected finding count is Low.
Grey-box: Pen testing is done with provided credentials (test account to your application). The test is longer and the expected finding count is higher than the Blackbox.
How many dynamic pages, forms or page routes (if using Single Page Application) are there in each application? Please, specify for each application:
What language(s) / framework(s) were used to build the application / API?
Are there any specific parts of the application or associated infrastructure that should be Excluded from testing?
Are there any specific test types or techniques you want Excluded (e.g., no denial of service checks)?
If there is an authentication mechanism in the application tested, would you be interested in Password Policy review and testing, as well as Brute Force/Rate limit protection tests?
If you have an API that you'd like to be assessed with an authenticated Grey-box test, can you provide us with a list of roles (e.g., read-only, regular user, admin, etc.) that you'd like to be pen tested?
Can a separate test environment (with similar configurations as the production environment) be provided for the penetration testing?
Are there any restrictions or limitations on the test / production environment?
Has the application / API been pen-tested before? If so, can the reports or findings be shared?
Send
