First of all, the activation of the Pentested mode on an asset implies that you are allowing Patrowl to perform offensive operations, and then accepted our Term and Conditions.
This indicates that the first rule to put an asset in Pentested mod is that the asset is under your technical and legal responsibility. If the asset is hosted or managed by an external provider, it is your responsibility to ensure you will have the proper authorization with the provider which allows Patrowl to perform offensive operations on the target.
💡 If needed, Patrowl can provide some Authorization Audit Template that could be signed by Providers.
Then, the list of assets selected to be continuously Pentested highly depends on your global Cybersecurity strategy and maturity, but also on your internal business specific context : the selection and the activation could only be performed by your teams.
However, here are few tips to select interesting asset to be pentested. Keep in mind that our automation aims to find vulnerabilities, so assets need to have at least interesting things to look at:
Chose FQDN: ****The most recommended type of asset to put in Pentested mod are “FQDN” (Fully Qualified Domain : https://en.wikipedia.org/wiki/Fully_qualified_domain_name). FQDN, most of the time, are referencing precise services or application and will not change often.
Avoid IPs: Cloud (AWS/OVH/Azure/Scaleway…), CDN (CloudFare, Akamai), Load Balancers IPs are really not interesting to be Pentested. They change continuously, they are often shared with many customers, and never expose interesting services. We recommend to put the related FQDN in pentest mod instead (keep in mind that when you put a FQDN in Pentested mod, the related IP is automatically integrated in our controls). The only IPs that should be set in Pentested mod are fixed external Datacenter IPs, without any FQDN resolution.
Avoid “Empty Assets”: of course, putting an asset without any live services is useless. Be sure that your Pentested assets are hosting at least one “live service” (it could be a website, or a specific service. You can find this information in the asset page EASM Page or with the statuts)
Avoid redirection: the most famous example is www redirection. If you set the asset patrowl.io in pentested mode (top domain), but the asset is only redirecting to www.patrowl.io, Patrowl will not scan www.patrowl.io (it will only scan top domain patrowl.io without following any redirection to avoid any out-of-scope scanning). A redirected asset is not interesting to scan, you should put in Pentested mod only final redirected FQDN.
Avoid same assets: Sometime, depending on your infrastructure, you will have multiple FQDN hosting the exact same service. Example, fr.patrowl.io is pointing to the exact same website as be.patrowl.io. If you activate Pentest for both FQDN, controls performed by our solution will be on the exact same assets. You will then consume 2 licences for pentesting the same service.