I am attempting to define the scope of an external pen test of our web platform. It is a portal that other entities logon and access. The web platform is non-commercial and government related if that makes a difference. Not US based.

I have a list of the URLs that were sourced from a vulnernability test so that is a decent start.

All of the short-listed pen testing companies are asking if they will be allowed to perform authenticated or unauthenticated tests? As I have not scoped out a pen test before I am unsure if authenticated testing is commonly granted.

I assume there is no right or wrong answer here, just open to feedback.


Share This Discussion

Leave a Comment

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.