The tester needs to set up multiple meetings with the customer to understand their requirements. The outcome should include but not be limited to the following:
- Security compliance that the customer wants to comply with
- Requirements and code of conduct (if any) stated in respective security compliance
- List of network segments in scope
- List of network security devices in scoped network segments
- List of assets to scan (along with IP ranges)
- List of assets exposed to a public network (along with IP ranges)
- List of assets that have network-wide access (along with IP ranges)
- List of business-critical assets (along with IP ranges)
- List of acceptable vulnerability assessment tools in the customer environment
- Availability of licenses for tools suggested by customer or accomplice
- List of tools that are strictly prohibited in the customer environment
- Recent vulnerability assessment reports if available