Should I Whitelist My Penetration Testers?

Should I Whitelist My Penetration Testers?

Determining if you should whitelist your penetration testers IP addresses is an important step before an assessment.

Do you have a penetration test coming up? You might have a lot of questions on preparing for your assessment. You might even wonder “Should I whitelist my penetration testers?”. This article will shed some light on Lucid Security’s take on this question.

Addressing Concerns

Lucid Security strongly believes in providing transparency in all of our testing efforts when conducting an assessment. Because of that, Lucid Security tries to address any questions or concerns during a kick-off call. The kick-off call is the perfect time to address whitelisting the testers IP addresses. For the purpose of this article, let’s assume the scenario is you will be having an external penetration test. That is, emulating what an attacker can do from anywhere on the Internet. You likely have some protections in place, whether it’s a web application firewall (WAF) or an intrusion prevention/detection system (IPS/IDS). So you may wonder why you would want to whitelist the penetration testers IP addresses if it’s supposed to be a realistic emulation of an attacker.

Reasons to Whitelist Testers IP Addresses

It is perfectly reasonable to want to actively test your defenses. In fact, this is something Lucid Security encourages. At request, Lucid Security will test whatever defenses you have in place, but recommends whitelisting the penetration testers IP addresses after about a day. We believe that it is important to find ALL vulnerabilities by providing a holistic approach to our assessments. By whitelisting the penetration testers IP addresses, the team will be able to find any underlying vulnerabilities. As it proven that attackers can bypass WAFs under certain circumstances, it is important to find address all security issues. Lastly, most web application firewalls are under constant security scrutiny as they are used by wide array of users worldwide.

Lucid Security’s Recommendation

At Lucid Security, we recommend having a discussion during the scoping call or kickoff call to determine what your goals are. In most cases, a happy medium can be found by testing defenses early in the assessment, and then switching to a completely whitelisted approach. In other cases, you may be completely confident in your defense capabilities and want to start off the bat with whitelisting the penetration testers IP addresses and make the most of your testing window looking “under the hood” for all vulnerabilities.

Lucid Security Can Help

Whatever approach you prefer, Lucid Security is happy to work with you and figure out the best solution for your organization. Feel free to reach out today and let us know how can help by contacting us.

Lucid Security is a Veteran owned cybersecurity solutions company focused on offensive security and penetration testing. 

Navigation

Services

Give Us a Follow

X-twitter Linkedin-in
Copyright Lucid Security, LLC ©2025
Lucid Security
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.