Introduction

Before your Network and Server Vulnerability Assessment and Penetration Testing (VAPT) engagement begins, your testing team needs specific information about your environment. Submitting these prerequisites accurately ensures the assessment starts without delays and that all relevant systems are tested within the agreed scope. This guide walks you through exactly what to prepare and how to share it.

Prerequisites

Before the assessment begins, ensure the following are in place:

Scope of Assessment

Provide a list of all external and internal IP addresses in scope for testing. For each asset, include the make and model, operating system, and firmware version where applicable.

Access for Internal Testing

Share VPN credentials and connection details required to access the internal network. If MFA is enabled on the VPN, include setup instructions or a temporary bypass mechanism so the testing team can connect without delays.

Firewall Configuration

If a firewall is in place, whitelist the following IPs before testing begins to allow uninterrupted scan traffic:

Astra IP Ranges

Step by Step Instructions

Step 1: Compile your IP address list Prepare a complete list of all external and internal IP addresses that are in scope for the test. Ensure this list is reviewed and approved by your internal IT team before sharing, as it defines the boundaries of the engagement.

Step 2: Document your devices and configurations For each device in the network, note down the device model, operating system, OS version, and firmware version where applicable. This helps the testing team tailor their approach to your specific environment and avoid false negatives caused by version-specific behavior.

Step 3: Set up VPN access for internal testing If internal network testing is in scope, provision VPN access for the testing team. Ensure the VPN is active and stable, and share the necessary credentials and access permissions securely. Coordinate with your IT team in advance if VPN provisioning requires approval workflows.

Step 4: Whitelist the testing team's IP addresses If a firewall is in place, whitelist the following IPs to prevent testing activity from being blocked mid-engagement. You can find the IP ranges here:

Astra IP Ranges

These are fixed infrastructure IPs used by the testing team throughout all engagements.

Step 5: Upload your prerequisites via the portal How you submit prerequisites depends on the type of device being tested:

Publicly accessible devices :  You can submit all details directly through the Astra dashboard. When adding your target, you will be redirected to schedule a scoping call with the sales team. Once the call is complete, you can add the target to your dashboard and update the remaining prerequisite details from there.

Devices inside a private network or VPN :  Direct portal upload is not sufficient for these environments. Your Customer Success Manager (CSM) will need to be involved to coordinate VPN access and credentials for the security team. Reach out to your CSM as early as possible to avoid delays, as this step may require additional approvals on your end.

On-premise physical devices :  Testing physical, on-site devices requires one of Astra's testers to visit your location in person to conduct the pentest. This involves additional cost. Contact your CSM to discuss logistics, scheduling, and pricing before proceeding

Expected Outcome

Once your prerequisites are submitted,  You can track the progress of your engagement directly on your Astra dashboard, which will reflect updates as the engagement moves forward. Your assigned CSM will manage all internal and external communication, coordinate timelines, and serve as your point of contact throughout the engagement.

Frequently Asked Questions

Testing team IPs are being blocked despite whitelisting Double-check that all four IP addresses were added correctly to your firewall allowlist. Confirm with your network team that the rules are applied at the right layer (e.g., perimeter firewall vs. host-based firewall). Ask the testing team to confirm which IP they are connecting from, as this can help isolate the blocked rule.

VPN access is not working for the testing team Verify that the credentials shared are active and have not expired. Check whether your VPN solution restricts access by device or certificate, and ensure the testing team's machine meets those requirements. If issues persist, consider provisioning a temporary dedicated VPN user account for the engagement.

Unsure which IPs to include in scope Start with your external-facing assets (public IPs, hosted services) and work inward. Your CSM can help you frame the scope if you are unsure. When in doubt, it is better to flag an IP as potentially in scope and have it confirmed than to leave a critical asset untested.

Dashboard not showing any progress after submission Allow some time for the engagement to be formally initiated after your scoping call. If the dashboard shows no activity, contact your CSM directly. They will verify that the target has been correctly added and that the engagement has been queued.

Unsure whether your device qualifies as publicly accessible or internal If you are not certain how to classify your device, consult your CSM before submitting. Misclassifying a device can delay the start of testing or result in an incomplete assessment