I am attempting to define the scope of an external pen test of our web platform. It is a portal that other entities logon and access. The web platform is non-commercial and government related if that makes a difference. Not US based.
I have a list of the URLs that were sourced from a vulnernability test so that is a decent start.
All of the short-listed pen testing companies are asking if they will be allowed to perform authenticated or unauthenticated tests? As I have not scoped out a pen test before I am unsure if authenticated testing is commonly granted.
I assume there is no right or wrong answer here, just open to feedback.