Pentest & Assessment Schedule¶
Classification: CONFIDENTIAL — Internal Use Only Document:
security/vuln/pentest-schedule.md· v1.0 · 2026-03-16 · GPUS-IT
Assessment history¶
| Date | Type | Scope | Findings | Conducted by | Status |
|---|---|---|---|---|---|
| 2026-03-10 | Internal review | All 4 servers — CIS hardening verification | 0 critical, 0 high | IT Admin (self-assessment) | Complete |
| 2026-03-16 | Automated scan | Lynis 3.1.6 daily on all 4 servers | Hardening index 76–79 | Automated (Lynis) | Active |
2026 assessment schedule¶
| Quarter | Assessment | Type | Scope | Vendor | Status |
|---|---|---|---|---|---|
| Q2 2026 | Vulnerability scan | Automated (Nessus/OpenVAS) | WDC network — all hosts | TBD | Planned |
| Q2 2026 | DNS resolver hardening review | Internal | SKY/RAIN BIND config | IT Admin | Planned |
| Q3 2026 | External penetration test | External | Cloud Run services + VPN perimeter | External firm (TBD) | Planned |
| Q3 2026 | Social engineering assessment | External | All staff — phishing simulation | External firm (TBD) | Planned |
| Q4 2026 | Red team exercise | External | Full WDC + GCP environment | External firm (TBD) | Planned |
| Q4 2026 | Annual DR drill | Internal | All 4 servers + GCP | Director of Cyber Security + Full team | Planned |
Scope definitions¶
Internal assessment¶
Conducted by IT Admin using available tools (Lynis, manual review, CIS benchmark). No external access. Scope limited to servers IT Admin has root access to.
Vulnerability scan¶
Automated network scan using Nessus Essentials or OpenVAS. Covers all hosts on 192.168.120.0/23. Outputs CVSS-scored findings. Results fed into Vulnerability Tracker.
External penetration test¶
Conducted by an independent security firm with no prior knowledge of the environment (black-box or grey-box). Scope agreed in advance via Rules of Engagement document. All findings documented and tracked to remediation.
Red team exercise¶
Full adversarial simulation including physical, social engineering, and technical attack vectors. Duration: 2–4 weeks. Debrief includes full attack path documentation.
Rules of engagement template¶
Before any external assessment, the following must be agreed in writing:
- Scope: specific IPs, domains, and services in/out of scope
- Duration: start and end dates/times
- Emergency contact: IT Admin + Director of Cyber Security phone numbers
- Out-of-scope actions: no DoS, no data exfiltration beyond proof-of-concept, no physical access without escort
- Notification: 48-hour advance notice before testing begins
- Reporting: draft report within 5 business days of completion