Whitelisting for Web Application Penetration Testing Service

This information is intended for clients who are receiving a Web Application Penetration Test. If you are unsure whether this information applies to your organization, please consult with your Customer Success Manager.

Why should I whitelist?

During the defined testing period, the analyst must rapidly scan and test discovered services, which may cause an IPS or WAF to temporarily block or permanently blacklist the analyst's source IP address(es). This can limit the ability to test services that may otherwise be available, and consequently limit the ability to identify vulnerabilities on those services. Because of this, TraceSecurity recommends conducting web application tests with the testing source IP addresses whitelisted in any deployed intrusion prevention systems or web application firewalls. This allows the analyst to simulate the evasion tactics that might be available to a real-world attacker, providing a means to generate the most complete and accurate assessment possible.

How do I whitelist?

The intrusion detection system/intrusion prevention system (IDS/IPS) and/or WAF management team will need to allow ping sweeps and port scans from the designated source IP addresses listed below. The team SHOULD NOT allow access to any otherwise filtered ports on any supporting firewall. The purpose of the whitelisting will be limited to preventing the source IP addresses from being completely blocked for breaking any IDS/IPS/WAF behavior rules such as ping sweeps or port scans.

The analyst IP addresses used for manual external testing are as follows:

174.69.226.251
174.69.226.254

This information will need to be supplied to whomever maintains the applicable system(s) for your organization. If any of these systems are maintained by a third-party vendor, please pass the applicable information along to them.

For any questions or concerns relating to this information, please discuss with your assigned analyst on the scoping call so expectations are appropriately set for the engagement.

TraceSecurity Whitelisting Guides

Whitelisting for Web Application Penetration Testing Service

This information is intended for clients who are receiving a Web Application Penetration Test. If you are unsure whether this information applies to your organization, please consult with your Customer Success Manager.

Why should I whitelist?

How do I whitelist?

The analyst IP addresses used for manual external testing are as follows:

This information will need to be supplied to whomever maintains the applicable system(s) for your organization. If any of these systems are maintained by a third-party vendor, please pass the applicable information along to them.

For any questions or concerns relating to this information, please discuss with your assigned analyst on the scoping call so expectations are appropriately set for the engagement.