Before conducting a network penetration test, 7 Minute Security will have a scoping call with you to ensure we understand:
The goals of the test
The endpoints in (and out of) scope
Any timing restrictions (when we can and can not test)
Once those guidelines are established, we will provide a secure file transfer you can use to send the following information:
IP addresses in scope for pentesting
Please provide 7 Minute Security with a list of subnets we should test, and any hosts that should not be touched.
Permission to conduct pentesting
You will need to secure necessary permissions for 7 Minute Security to scan and/or pentest the infrastructure that is in scope for testing - be that from internal departments or relevant third parties (ISPs, MSPs, etc.).
Three (3) IP addresses to use for the duration of the test (for internal pentests)
Our pentest sensor requires three (3) IP addresses to use for the duration of the assessment. It is easiest for us if we are plugged into a network with DHCP enabled, but we can also assign static IPs to the device if required.
A low-privileged Active Directory account (for internal pentests)
7 Minute Security will approach the internal network penetration test from an "assume compromise" narrative, so we ask for an Active Directory account to be setup for us to use during testing. This account can be setup however you would provision a typical new employee. For example, if a common role at your company is customer service representative, and you give every new hire access to a few AD security groups as well as a "S drive" with shared files, setup our account in the same way. The account does not need to have special privileges, such as being a member of the Domain Admins group.
Configure network allow-lists
For external pentests, 7 Minute Security will provide you with our public IPs that we conduct penetration testing from - so that you can temporarily allow these IPs in your firewall/IDS/IPS/etc.
For internal pentests, 7 Minute Security uses Splashtop to be able to manage penetration tests remotely. From the network that our scanning device will be plugged into, please run the Splashtop connectivity check and make sure you get a result similar to this screenshot:
Preferences for communication methods and cadence
Let 7 Minute Security know how you would best like to communicate about the penetration test. We can provide updates via email, text, Teams, or other communication method of your choice.