# Requirements
Scope
- What will be tested 
- Start and End dates
- Customer Objectives
	- Strategic and Operational goals
- Ensure requirements and expectations of customers being met

Rules of Engagement
- Detailed stages
- Who is authorised
- On or off site
- Formal "permission to test" authorised

Legal Signoff

## Scope

- Identify type of tests
	- Network, web, wireless, physical, social engineering
- Capabilities of target organisation to be tested. Detect and respond to:
	- Info gathering
	- Footprinting
	- Scanning and vulnerability analysis
	- Infiltration
	- Data aggregation
	- Data exfil
- Immature (NIST T1) would benefit from a vulnerability analysis than a full pentest

- Identify outsourced services
	- In scope?
	- Permission?
	- Procedures and requirements?
	- What to do if vulnerability found?
- Identify policies of any ISP or MSSP
	- In scope?
	- Need to be notified?
- Identify existing controls (firewall, IDS/IPS, web application firewall, load balancer)
	- In scope?

# Types of Test

- Why customer has pentest performed against env?
	- Required for compliance?
- When does customer want active testing conducted?
	- During business hours or out? 
- How many IPs tested (internal/external)
- How should testing team proceed if vulnerability found?

## Web Application Pentest

- How many applications being assessed?
- How many login systems being assessed?
- How many static pages being assessed?
- How many dynamic pages being assessed?
- Static analysis?
- Source code available?
- Documentation?

## Wireless Network Pentest

- How many wireless networks?
- Guest network? Authentication?
- Encryption used and type?
- Square footage of coverage?
- Enumeration of rogue devices?
- Assessing wireless attacks against clients?
- How many clients on network?

## Physical Pentest

- How many locations?
- Physical or shared facility? If so, floors in scope.
- Need permission?
- Security guards? Who do they work for? What are terms of reference?
	- Reasonable force? Armed?
- How many entrances to building
- Local laws?
- Square footage?
- Physical security documented?
- Video surveillance?
- Alarm system? Silent? How triggered?

## Social Engineering

- List of email addresses client wants attacked
- List of phone numbers?
- Approved? How many targeted
- Chosen pretexts approved in writing beforehand.

# Questions

## For company

- Manage aware?
- Main datum that would create greatest risk to organisation if exposed, corrupted or deleted?
	- If ISMS, will have risk register.
	- If no ISMS, lack maturity for test to be meaningful.
- Testing and validations procedures to verify applications functioning in place?
- Testers have access to QA testing procedures from when application developed?
- Disaster Recovery Procedures in place for application data.