If the test is going well for the client, you might not reach out to them that much.
What is going well?
You’re not finding a ton or you’re not getting any critical or strong findings
Exception:
Finding a critical issue:
- Gaining access to internal network thru VPN
- RCE
- Webserver login
They need to know these IMMEDIATELY during the engagement. Email or phone with the CPOC. Why?
- Because if we can, then there is a good chance someone else also already has
- They can work on patching it immediately
Example email (kickoff email):
199.120.48.0/24 is the company’s range in RoE (rules of engagement)
8.8.8.8 is fake, supposed to be the IP you will be testing from