Please enable JavaScript in your browser to complete this form.Please enable JavaScript in your browser to complete this form.Scoping Questionnaire Please fill out this questionnaire so that SOClogix can better understand the type of assessment that you are requesting and the size and scope of the assessment. Please answer the questions as accurately as possible as any incomplete or missing information may result in the delay of service or an under-scoped or over-scoped assessment. Not all questions will be applicable to each assessment. Please ignore or input 'N/A' to any questions that do not require an answer. Completing and submitting this form is not an authorization for SOClogix to conduct the assessment. This questionnaire is part of our pre-engagement process. If you have any other questions or need assistance with this form please contact soc@soclogix.com Thank you, SOClogix Team Customer Type *Reseller / PartnerDirect CustomerSelect 'Reseller / Partner' if the scope of work is for a customer of your company; otherwise, select 'Direct Customer' if your company or organization is the end customer.Reseller / Partner Name (Legal Name) *Company and Contact Information Enter the following contact information for the company/organization requesting a Vulnerability Scan and/or Penetration Test. If you are a Reseller or Partner, the Contact Person can be someone from your company rather than the client whom this assessment is for. Customer Company Name (Legal Name) *Enter the legal name for your client whom the assessment is for.Company Name (Legal Name) *Enter the legal name for the company/organization whom the assessment is for.Contact Person *FirstLastContact Person Email *Contact PhoneAssessment Address:Address Line 1Address Line 2City--- Select state ---AlabamaAlaskaArizonaArkansasCaliforniaColoradoConnecticutDelawareDistrict of ColumbiaFloridaGeorgiaHawaiiIdahoIllinoisIndianaIowaKansasKentuckyLouisianaMaineMarylandMassachusettsMichiganMinnesotaMississippiMissouriMontanaNebraskaNevadaNew HampshireNew JerseyNew MexicoNew YorkNorth CarolinaNorth DakotaOhioOklahomaOregonPennsylvaniaRhode IslandSouth CarolinaSouth DakotaTennesseeTexasUtahVermontVirginiaWashingtonWest VirginiaWisconsinWyomingStateZip CodePrevious History Please input historical information regarding the below. Is the organization subject to any compliance policy or regulations?Select AnswerYesNoWhen is the last time each compliance policy or regulation was validated? Has the organization ever been compromised that you know of?Select AnswerYesNoPlease summarize the compromise and remediation.Have there been any previous assessments conducted?Select AnswerYesNoWhat assessments have been carried out, and when were they last completed?Assessment Details Assessment Type *Internal Penetration TestInternal Vulnerability AssessmentExternal Penetration Test & Vulnerability AssessmentCheck all that apply. Internal Penetration Test - A controlled and authorized simulation of a cyberattack carried out within an organization's network and systems to identify vulnerabilities that could be exploited by malicious actors from within the organization. Internal Vulnerability Assessment - The process of systematically scanning and evaluating an organization's internal network, systems, and applications to identify potential security weaknesses and vulnerabilities that could be exploited by attackers. External Penetration Test & Vulnerability Assessment - Involves testing an organization's external-facing systems and applications to identify weaknesses and vulnerabilities that could be exploited by external attackers, often simulating real-world cyberattacks from outside the organization.Internal Assessment Deployment TypeOn-site Scanner Box.Agent on Domain Controller with Admin AD Credentials.Software agent on all Windows, MAC, and Linux devices.Please select the type of deployment for this scan. The following types of deployment options are available: On-site Scanner Box - Best used for scans where there is no access to install an agent on the domain controller or install software agents on. Agent on Domain Controller - Best used for scans where this is access to the domain controller to install a probe. Software agent on all Windows, MAC, and Linux devices - Best used when there is no central domain authentication available. Scan Times *During Business HoursAfter Business HoursWeekendsWhen should active portions (scanning, enumeration, exploitation, etc.) of the penetration test be conducted? (check all that apply) Please note that devices need to be powered on and connected to the network in order to be included in the assessment.Assessment Frequency *One-timeDailyMonthlyOtherPlease select the desired frequency for the assessment(s). If more than one assessment type has been selected, please select Other and specify the individual frequencies if necessary. Other Assessment FrequencyCompliance Requirements:CMMCHIPAAPCISOC2OtherIs the penetration test required for a specific compliance requirement (HIPAA, FINRA, PIC, etc.)?General Network Information Who is the current Internet Provider?Number of Devices onsite:Approximately how many onsite devices are on the network? This number includes desktops, laptops, servers, printers, network devices, VOIP phones, and IoT devices (thermostats, POS systems, Ring doorbells, etc.).Number of Devices remote:Approximately how many onsite devices are part of the organization but not at any office or network location? This number includes desktops, laptops, servers, printers, network devices, VOIP phones, and IoT devices (thermostats, POS systems, Ring doorbells, etc.).Server Technology:Windows ServerLinux ServerAWS Cloud ServersAzure Cloud ServersGoogle Cloud ServerOtherWhat server technologies does the organization use?Server Technology - OtherPlease list all other server technologies in use.Database TechnologiesWhat database technologies does the organization use?Internal Network Information Internal IP RangesPlease list our all IP ranges that are to be tested? Please be sure to include all subnets that are accessible by the network. (for example, 192.168.1.13, 192.168.1.0/24)Active Directory Domain Names:example, abcsales.local and/or domain.abcsupport.com, etc.)Internal Assets to Exclude:Please list any IP or hostnames you wish to have excluded from the assessment. i.e. printers, VOIP, or specific VLANs Exclusions might be necessary for various reasons, including critical systems that cannot be disrupted, systems under compliance restrictions, or resources that don't fall within the scope of the assessment.External Network Information External IP Information:Please list all External IP and/or address blocks registered to your organization. (for example, 198.23.32.1, 12.34.56.x/24)Domain Names:Please list all domain names registered to your organization. (for example, abcsales.com and/or abcsupport.com, etc.) Firewall Technology:Does the organization use a local firewall(s)? If so, please list the quantity and manufacturer(s) of the firewall(s).External Assets to Exclude:Please list any IP, hostnames, and/or domain names you wish to have excluded from the assessment. ie. Cloud Servers, websites, subdomains, subdirectories, etc.Final Information Rules of EngagementPlease indicate any rules or limitations to the assessment(s).ExpectionsPlease indicate any expectations there are for the assessment(s). Additional CommentsPlease provide any additional comments there may be regarding the scope of the assessment(s).Access and Credentials If necessary, please provide credentials to SOClogix via appropriate and secure channels. Notification and Authorization Have all relevant stakeholders and/or personnel been informed and authorized the assessment? Cloud Server Penetration Testing Amazon, Microsoft, and Google do not require notification before conducting penetration testing of servers hosted in their cloud environments. The following sources are references regarding the Penetration Testing of cloud-based environments and are listed here for the benefit of the Penetration Tester: AWS - Penetration Testing Policy Azure - Penetration Testing Microsoft Cloud - Penetration Testing Rules of Engagement Google Cloud Security FAQ Submit
