Pen Test Questionnaire
Company Information
Main Address
Street Address
Address Line 2
City
State / Province / Region
ZIP / Postal Code
Afghanistan
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Australia
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belgium
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius and Saba
Bosnia and Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cabo Verde
Cambodia
Cameroon
Canada
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos Islands
Colombia
Comoros
Congo
Congo, Democratic Republic of the
Cook Islands
Costa Rica
Croatia
Cuba
Curaçao
Cyprus
Czechia
Côte d'Ivoire
Denmark
Djibouti
Dominica
Dominican Republic
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard Island and McDonald Islands
Holy See
Honduras
Hong Kong
Hungary
Iceland
India
Indonesia
Iran
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Japan
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Democratic People's Republic of
Korea, Republic of
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Libya
Liechtenstein
Lithuania
Luxembourg
Macao
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia
Moldova
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Norway
Oman
Pakistan
Palau
Palestine, State of
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Romania
Russian Federation
Rwanda
Réunion
Saint Barthélemy
Saint Helena, Ascension and Tristan da Cunha
Saint Kitts and Nevis
Saint Lucia
Saint Martin
Saint Pierre and Miquelon
Saint Vincent and the Grenadines
Samoa
San Marino
Sao Tome and Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Singapore
Sint Maarten
Slovakia
Slovenia
Solomon Islands
Somalia
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Spain
Sri Lanka
Sudan
Suriname
Svalbard and Jan Mayen
Sweden
Switzerland
Syria Arab Republic
Taiwan
Tajikistan
Tanzania, the United Republic of
Thailand
Timor-Leste
Togo
Tokelau
Tonga
Trinidad and Tobago
Tunisia
Turkmenistan
Turks and Caicos Islands
Tuvalu
Türkiye
US Minor Outlying Islands
Uganda
Ukraine
United Arab Emirates
United Kingdom
United States
Uruguay
Uzbekistan
Vanuatu
Venezuela
Viet Nam
Virgin Islands, British
Virgin Islands, U.S.
Wallis and Futuna
Western Sahara
Yemen
Zambia
Zimbabwe
Åland Islands
Country
Name
First
Last
Company Name
Number of Offices (Sites with Networks)
Scope Objectives
What is the primary goal of the penetration test?
Compliance
Vulnerability
Assessment
Risk Management
All of the Above
Other
What specific systems, applications, or networks do you want to be tested? Please list all.
Are there any systems or applications that should be explicitly excluded from testing?
Yes
No
Please list systems or application to be excluded
What type of testing do you want?
Internal
External
All of the above
Technical Environment
Please provide IP ranges and domain names in scope
What are the primary operating systems in your environment?
What critical business applications must be included in the testing scope?
Are there any legacy systems in the scope?
Yes
No
Please list legacy systems in scope.
Do you use Cloud Services?
Yes
No
Please list Cloud Services used
What security controls are currently in place (firewalls, IDS/IPS, WAF, etc.?
Please provide details
Testing Parameters
What is your preferred testing timeframe?
Are there specific hours during which testing should or should not occur?
Where would you like testing to be performed from?
On Premises
Remotely
No Preference
For an assumed breach scenario
You (CLIENT) will provide access via VDI, RDP, VPN, Citrix
We (PROVIDER) use our own equipment
All of the above
Are there any systems that require special handling or care?
Yes
No
Please list systems that require special handling or care
Business Impact
Are there specific high-risk periods (e.g., product launches, financial reporting) that we should avoid during testing?
Who should be contacted in case of critical findings or incidents during the engagement?
Communication and Reporting
Who is the primary point of contact for the engagement?
First
Last
Phone
Email
Additional person who should receive status updates during the testing process
First
Last
Phone
Email
What type of report do you expect at the end of the engagement (e.g., detailed technical report, executive summary, remediation plan, comprehensive (everything))?
Access and Credentials
Will credentials be provided for authenticated testing?
Yes
No
What type of credentials will be provided (username, certificate, MFA, etc...)
What level of access will be provided (user, admin, etc.)?
Previous Testing or Assessments
Has your organization undergone previous security assessments?
Yes
No
Please provide details of assessment(s)
What are your primary security concerns based on past assessments?
Restrictions and Limitations
Are there any specific testing tools, techniques, or methodologies that should not be used during the engagement?
Yes
No
Please list restrictions
Expectations and Deliverables
What are your primary goals for this penetration test (e.g., identifying vulnerabilities, compliance)?
Do you need remediation guidance for identified issues?
Yes
No
Will you need a retest after remediation efforts are completed?
Yes
No
Emergency Procedures
Who should be contacted in case of critical issues or incidents during testing?
First
Last
Phone
Email
What procedures should the testing team follow if sensitive data is discovered during the engagement?
Legal and Compliance Considerations
Are there any legal or compliance requirements we should be aware of during testing (e.g., ISO, GDPR, HIPAA)?
Additional Information
Is there any other information or context that would be helpful for us to know before starting the penetration test?
