1) Scoping questionnaire 2) Pre-engagement meeting 3) Kick-off meeting - Documents to be signed/issued - NDA - Types of NDAs (must be signed before any of the above occur) - Unilateral - Bilateral - Multilateral - Scoping questionnaire - Chose between services offered, for example, one or more of: - internal vuln assessment - external vuln assessment - internal pentest - external pentest - wireless security assessment - app security assessment - physical security assessment - social engineering assessment - red team assessment - web app security assessment - Test type: black box, gray box, white box - Intrusiveness: non-evasive (noisy), hybrid (ramp-up from quiet to noisy), fully evasive - Scoping document - Created based on answers to scoping questionnaire to summarize/memorialize - Contract/SoW - Drafted based on pre-engagement meetings and scoping questionnaire - Checklist: - NDA - Goals - Scope - Pentesting type - Methodologies - Pentesting locations - Time estimation - Third parties - Evasive testing - Risks - Scope limitations and restrictions - Info handling - Contact info - Lines of comm - Reporting - Payment terms - RoE checklist: - Introduction - Contactor - Pentesters - Contact info - Purpose - Goals - Scope - Lines of comm - Time estimation - Day/time of test - Pentesting type - Pentesting locations - Methodologies - Objectives/flags - Evidence handling - System backups - Info handling - Incident handling and reporting - Status meeting - Reporting - Retesting - Disclaimers and limitations of liability - Permission to test - Contractors agreements (physical assessment) - Get out of jail free card if discovered/apprehended by security teams - Checklist: - Intro - Contractor - Purpose - Goals - Pentesters - Contact info - Physical addresses - Building name - Floors - Physical room identification - Physical components - Timeline - Notarization - Permission to test - Reports - Contracting party must be a high-level company official with authority - CEO, CTO, CIO, CISO, CSO (chief security office), CRO (chief risk officer), VP of Internal Audit, Audit Mgr, VP/Director of IT