On Jun 5, 2012, at 11:34 AM, Darden, Patrick S. wrote: > > I'm with Barry--a network diagram showing everything from the pov of the pen > team should be part of the end report.
Maybe, maybe not. It all depends on the scope of the engagement. I've had customers ask for very specific pen test of a group of servers, or specific applications, wherein they provide all the topology, system, and network info, and just want me to look at one specific area. Then of course others want a "black box" assessment, wherein they don't tell you anything, and expect you to discover whatever you can discover. I'm personally very specific about scoping, and just give the customer exactly what they want but you've got to "interview" each other to figure all of that out. And totally agree with a previous poster, you should always get a redacted or sample report to see what kind of quality you can expect in the finished product. -b
