Engagement

The engagement step includes, as a minimum the following key stages:

• Client Details – Capture the relevant Client Information.

• Definition of Scope – Clearly define the target, what is to be tested (systems, networks, applications) and importantly, what (if anything) is to be excluded. Please refer to Scope Definition below for more detail.

• Payment – Via Credit Card and/or Purchase Order.

Scope Definition

• Target Type: Web application or External Network.

• Target: A single domain name or IP address with CIDR.

• Target Details: When providing Block8.ai details for your target be aware of the following limitations:

  • Web Application – Block8.ai will only test assets and artefacts that are available on the root domain provided, third party domains or services on unnamed domains will be considered out of scope. While Block8.ai will check any content accessed or downloaded from third party domains, it will not actively scan the domain.

  • External Network – If you provide an IP address range be aware that the more targets that are provided the less time that will be available to perform deeper analysis on each endpoint. It is recommended keeping the range under 10 addresses or too single if testing critical services.

• Test Type: White Box, Grey Box or Black Box

  • White Box – Authenticated testing with full documentation of network/application. You will provide Block8.ai an account for an internal service and full documentation of your application or network so Block8.ai can specifically target high values assets first.

  • Grey Box – Authenticated testing with no documentation. You will provide Block8.ai a basic user account as part of scoping and no additional detail about your application, network or services. Block8.ai will use the provided account to attempt actions like privilege escalation and exfiltration of sensitive data.

  • Black Box – Unauthenticated testing, this best emulates the starting point of a bad actor trying to access your network or application.

Vulnerability Assessment

The Vulnerability Assessment step includes, as a minimum the following the following key stages:

• Reconnaissance – Gather all available information pertinent to the target system or network (within scope). Reconnaissance may be achieved through both passive or active techniques (i.e. public sources or technical scanning).

• Fingerprinting – Identifying operating system and running service information including the technology stack,  operating systems of systems and network or other devices within the in-scope environment.

• Automated Scanning – Scanning conducted using vulnerability identification tools as selected by the Block8.ai team.

• Analysis – the use of Block8.ai’s proprietary AI toolset to analyse the vulnerabilities identified through the scanning process. Vulnerabilities are assessed to see if they are actual or false positive and if they have the potential to be exploited.

AI Vulnerability Exploitation

The AI Vulnerability Exploitation step includes, as a minimum the following key stages:

• Exploiting Vulnerabilities – the use of Block8.ai’s proprietary artificial intelligence toolset to leverage identified vulnerabilities with the aim of exploiting them to permit unauthorised activities such as access or control.

• Post-Exploitation – If permitted within the scope of the engagement. Additional exploitation of the compromised system in an attempt to escalate access privileges or access sensitive date or to move laterally through the target environment.

Reporting

The Reporting step includes, as a minimum the following key stages:

Executive Report

• Provides a non-technical overview of the engagement including result statistics and severity levels

Technical Report

• Detailed Findings – All identified vulnerabilities will be documented along with the severity and the potential impact on the client organisation should that vulnerability be exploited.

• Remediation Recommendations – Actionable activities that can be conducted by the client to reduce the potential impact from identified vulnerabilities.

• Human Validation – Block8’s human subject matter experts will review all findings and recommendations as validation of the AI processes.

Certificate

• Provision of a one-page letter with no technical details that the client can confidently publicise to their external stakeholders as an assurance that testing has been conducted.

Re-Testing (as Required)

The Re-Testing step includes, as a minimum the following key stages:

• Re-Testing is conducted if a request is received within 45 days of the issue of the report.

• Re-Testing is conducted only on previously identified Critical and/or High Vulnerabilities with the aim of establishing if the previously identified vulnerabilities have been remediated.

• Re-Testing includes the issue of revised reporting (all three reports).