Create a penetration test assessment request (prior to v19.0)

  • Release version: Zurich
  • Updated July 31, 2025
  • 4 minutes to read

    • Initiate a penetration test assessment request for your web applications or APIs. These requests are submitted to the ethical hacking team, who then proceed to test these applications and manually report the penetration test findings.

    Before you begin

    Role required: App-Sec Manager

    About this task

    The application owner raises a penetration test assessment request to manually scan their application or APIs. The ethical hacking team tests the application and manually creates penetration test findings. These findings are manually-created application vulnerable items (AVIs).

    The default assignment group for the penetration test finding is the group configured in the 'Application team' field of the associated penetration test assessment request. The assignment type of the penetration test finding is Manual. The assignment rules cannot override the assignment of these penetration test findings.

    Starting with v19.0, you can create penetration test assessment requests directly from the Penetration Test Assessment Requests [sn_vul_pen_test_assessment_request_list] table. See Create a penetration test assessment request from existing requests (v19.0) for more information.

    Procedure

    1. Prior to v19.0, navigate to All > Self-Service > Service Catalog > Services > Penetration Testing Assessment Request.
    2. Optional: Alternatively, you can create a request by replicating closed requests.
      All the values from the original request are preserved. Active application vulnerable items (AVIs) are automatically copied to the new request.
    3. On the form, fill in the fields.
      Table 1. Penetration Testing Assessment Request form
      Field Description
      Number Unique identifier generated for the penetration test assessment request.
      Requested by Person requesting the assessment of the application.
      Parent assessment request Original penetration testing assessment request used to create the child request. It is created using a closed assessment request. Visible only on the child assessment request form.
      Application Select an application using the search option.
      Application type Select an option from:
      • Web Service (known as API prior to v16.1)
      • Web Application
      • Thick Client
      • Mobile (If you select Mobile, the Mobile tab is displayed at the bottom of the form with additional fields)
      v19.0: Application size Select the size of the application you want to test.
      • Small
      • Medium
      • Large
      • Standard (select this option if you are not sure of the size)
      Assessment type Select the type of assessment from:
      • Full penetration Test
      • Focused Test
      • Re-test
      For details, see Configure assessment types for penetration testing.
      Purpose of application Description of the application’s functionality.
      Technology stack details Complete technology stack from front-end to back-end, databases, and other key technologies.
      Is third-party application? Confirms if this application is owned by a third-party vendor.
      List types of sensitive data accessible from application Types of sensitive data accessible from the application. For example, PII data, PHI data, and financial data such as credit card numbers.
      Authentication type Specifies if this application uses LDAP authentication, its own native authentication, or other forms of authentication.
      Is application in scope for any compliance program? Specifies if this application impacts any compliance programs such as PCI.
      Application team contacts Members of the application team to be contacted by the ethical hacking team for any questions.
      Demo date Date when this application can be demonstrated.
      Product deployment planned on Planned date to deploy this application in production.
      Application version/release planned for deployment Version of the application planned for production deployment.
      v19.0: Application owned by third-party vendor or a joint venture If you select Yes for this field, the Vendor/ Joint Venture Information tab is displayed with additional fields.

      The term 'Clause' might refer to standards for testing that include any agreements that exist between two or more parties.
      State Select a value based on the status of the request.
      Assignment group Group selected to work on the penetration test findings. Can be manually added or edited by an App-Sec Manager.
      Assigned to Individual from the selected assignment group that works on the penetration test findings. Can be manually added or edited by an App-Sec Manager.
      Sprint Displays the sprints with bandwidth available to accommodate the assessment request based on the selected Assessment type field.
      Created Date and time the request was created.
      Testing start date Date and time when the testing begins.
      Updated Date and time the request was last updated.
      Testing details
      URLs to test URLs that must be included in penetration testing.
      URLs to exclude URLs that must be excluded from penetration testing.
      Was this application tested previously? Specifies if this application has already been penetration tested.
      Reason for retest Reason for asking for a penetration test reassessment if the application was tested earlier.
      When was the application tested? Timeframe when the application was penetration tested.
      Test account details Details of the test account that can be used by ethical hacking team for penetration testing.
      Application roles Roles supported by the application for its users.
      Most used roles Most commonly used roles in the application.
    4. Select Submit.
      An email notification is sent to the ethical hacking team that the request has been created for the relevant application.