Caspisec – Penetration Test Scope Form

Test Request Information

Organization and contact information.

Organization / Company Name

Contact Person

Contact Person Title

Contact Information (phone/e-mail)

Test Type

White / Gray / Black Box approach.

Test Type

White Box Gray Box Black Box

Multiple selections can be made.

Test Mode / Profile

General Notes

Requested Services

Relevant section opens below as you select.

Sections: 0 selected

External (External Network) Penetration Test

IP/SUBNET Information / Count to be Tested

To Be Tested Public IPs or IP range

Number of Servers in DMZ Area

Mail Server Location

Web Server Location

To Be Tested Server Information

Internal (Internal Network) – LAN and Database Penetration Test

To Be Tested Server Information

Database Systems

Multiple selection with Ctrl/Command.

Total Number of Servers to be Tested (Physical + Virtual)

Wireless Network Security

Work Location

Operating Systems

Number of Clients

IP Ranges to be Tested

DMZ IP Ranges

Total Number of Devices with IP

Location Addresses

Other Information

Internet Security Tests

Vulnerability detection of in-scope components accessible from the internet, verification with manual tests, analysis and reporting. If requested, verification (retest) can be performed within the scope of service.

IP Address(es)	Will Exceptions be Defined on Security Devices (if any)?
	Is exception required? Security Devices (optional) Notes (optional)

Mobile Application Security Test Service

Add rows according to the number of applications.

Total Number of Mobile Applications to be Tested

Application Name	Platform	Number of User Profiles	Is Web Service Test Required?

Access address (App Store, Google Play Store, etc.) Functions on the Application

Web Service / API Security Test Service

To Be Tested Web Servis/API Information

Web Service/API Address Information	Number of User Profiles (Anonymous, 1,2, ...)

Source Code Analysis

Detection, analysis and reporting of security vulnerabilities using static source code analysis methods. If requested, verification can be performed within the scope of service.

Number of Rows		Other Notes (On-site Work / Remote Work)

Application Language Other (Optional)

VoIP Security Test Service

How many different types of Video Conference or Phone Systems will be tested?

Number of locations where VoIP test will be performed?

Wireless Network Security Test Service

Number of SSIDs to be tested

Number of locations to be tested

Are locations close to each other?

Description

Social Engineering Test Service

Requested Social Engineering Test

Email (Phishing) Phone (Information Gathering)

Number of users to receive email

Should sensitive data (password etc.) be recorded during phishing?

Number of users to be called

Requested scenarios / additional information

DDoS Test Service

Number of assets to be tested

Number of service providers to be tested

Current bandwidth

Test Type

Vector	Requested Max Bandwidth	Max User	IP:port / FQDN

Continuous Vulnerability Analysis Service

Requested scan frequency

Number of IPs to be scanned within service scope

Web Application Load Test Service

Number of applications to be load tested

Number of scenarios per application

Max number of users in each scenario

Test Dates & Verification

Requested date range for tests – Start

Requested date range for tests – End

Time restriction

Verification test

How long after report delivery should verification test be planned?

Requested date for report delivery

Reporting

Reporting Language

Test report will be sent and destroyed. Report will be requested from organization during verification. Do you approve?

Additional Reporting Requirements

Malware Installation Permission

Do you allow installation of malware when vulnerability is found?

Are the necessary requirements for the tests accepted?

Relevant Organization Personnel Responsible for Tests

Add information of the first person to contact in case of emergency.

Name / Surname	Address	Phone	Email

IP Addresses / Plan Where Tests Will Be Performed

Test Name	Executing Personnel	Planned Test Date

Authorized Information / Signature

Organization/Corporate Official – Name/Surname

Date

Caspisec Official – Name/Surname

Date

Test Process – Emergency & Report Retention

Emergency contact – Name Surname

Emergency contact – Phone

Report Retention

Appendix: Information, Authorization and Scope Approval

This text summarizes the accuracy of the scope declared in the form, the principles of conducting the tests and the responsibilities of the parties.

1) Purpose and Work Definition

This form; test scope, test approach (White/Gray/Black Box), time constraints, access needs and reporting expectations for the selected services has been prepared to record. Security tests; detection of vulnerabilities in a controlled and planned manner without causing service interruption in target systems, aims to verify and report.

2) Scope and Exclusions

Scope is limited to services selected in this form and assets declared in relevant sections (IP/Subnet, FQDN, application, API, SSID, etc.).
If testing of out-of-scope assets is requested, separate written approval and scope update are required.
Operations that may cause uncontrolled denial of service (DoS) effect will not be applied unless explicitly requested and written approval is obtained.
Verification (retest) is not included as a general rule in services such as social engineering, DDoS, web load testing and continuous vulnerability analysis; it must be requested separately.

3) Authorization and Permission

Organization/Company declares that it has given the necessary authority to test the systems to be tested; that the relevant assets belong to it or that it has authorized usage rights.
Exploitation of vulnerabilities detected during testing (proof generation) is carried out only for security assessment purposes and with the necessary minimum impact.
“Malware installation permission” Action is taken according to the selection in the field; unless permission is granted malware dropping/persistence is not done.

4) Prerequisites and Customer Responsibilities

While Gray/White Box testing, security devices (WAF/IPS/NAC, etc.) must be configured so that test IPs are not blocked.
In local network tests, the working environment, network access and necessary technical coordination are provided by the Organization/Company.
Required user profiles, test accounts, access permissions and documentation (e.g. Swagger) for Application/API tests are provided by the Organization/Company.
In mobile application tests, if the requested technical requirements (e.g., appropriate build/SSL pinning conditions) are not met, the test scope may narrow or the duration may extend.

5) Data Processing, Records and Report Retention

Findings, evidence and logs obtained during the test are processed for reporting purposes and shared only with authorized persons.
Report delivery is made in password-protected form.
The report retention/destruction process is applied according to the selection in the "Report retention period" field; if a verification test is to be performed, the report may be requested from the Institution/Company.

6) Operational Risks and Emergency Procedure

Every security test has certain operational risks (service performance impact, unexpected behaviors, third-party dependencies, etc.).
Emergency contact person/number is specified in this form; test can be stopped immediately if necessary.
Critical business continuity restrictions (off-hours, specific time range etc.) “Time restriction” field must be specified.

7) Limitation of Liability

Security testing is an assessment activity carried out within the scope declared in the form and the access/prerequisites provided. CASPISEC cannot be held responsible for out-of-scope systems, unspecified assets, interruptions caused by third-party service providers and consequences arising from prerequisites not provided by the Organization/Company.

I have read, understood, and accept the information/authorization provisions within the scope of this form.

Note: This approval means accepting the accuracy of the scope declarations in the form and that the test process will be carried out according to the specified principles.

“Save as PDF” button opens the browser's print window. On the screen that appears “save as PDF” use the option.