Scope & Rules of Engagement¶
1. EXECUTIVE SUMMARY & TESTING OVERVIEW¶
1.1 Abhavtech Security Testing Context¶
Abhavtech operates a complex, multi-platform enterprise infrastructure serving 19 global sites with 15,000+ users across APAC, EMEA, and Americas regions. The security validation program must comprehensively test:
Infrastructure Under Test: - SD-Access Fabric: DNAC 2.3.7.x, ISE 14-node cluster, TrustSec SGT micro-segmentation (30+ SGTs) - SD-WAN: vManage 20.15.x, 40+ WAN Edge routers, IPsec/TLOC tunnels, OMP routing - Webex Collaboration (Cloud): 3,200 Webex Calling users, 175 WxCC agents, cloud-based SIP trunks - SBC/CUBE (On-Premise): PSTN gateways in NJ, Mumbai, London (bridge to cloud Webex) - Zero Trust Platform: XDR/SecureX (8 ribbons), Duo Beyond (3,200 users), FTD firewalls (18 units), Umbrella SASE - AI/ML Platforms: Splunk SIEM (100GB/day, MLTK), ThousandEyes (6 agents), AppDynamics APM, Cognition Engine, DNAC Deep Network Model - AgenticOps Workflows: 8 AI-driven automation workflows (WF-001 to WF-008) with guardrail protection
Migration Status: - ✅ Webex Calling: Migrated to cloud (from on-premise CUCM) - ✅ Webex Contact Center: Migrated to cloud WxCC (from on-premise UCCX) - ❌ CUCM/UCCX: Decommissioned - NOT in testing scope - ✅ SBC/CUBE: Active on-premise PSTN gateways - IN testing scope
Business Context: - Regulatory Requirements: PCI-DSS, SOC2, GDPR, ISO 27001:2022 - Industry Sector: Financial Services (high threat landscape - ransomware, BEC, nation-state APTs) - Risk Tolerance: Low (financial services sector with customer trust dependencies) - Testing Constraints: Production environment (must avoid service disruption), 24x7 operations
1.2 Penetration Testing Program Structure¶
┌─────────────────────────────────────────────────────────────────────────────────┐
│ ABHAVTECH PENETRATION TESTING PROGRAM STRUCTURE │
├─────────────────────────────────────────────────────────────────────────────────┤
│ │
│ PROGRAM GOVERNANCE │
│ ══════════════════════════════════════════════════════════════════════════ │
│ • Testing Authority: CISO approval required for all tests │
│ • Scope Definition: Network Engineering + Security Team collaboration │
│ • Rules of Engagement (ROE): Documented, signed before each test │
│ • Emergency Stop: 24x7 escalation path if production impact detected │
│ • Legal Protection: Penetration testing authorization letter (legal dept) │
│ │
│ TESTING FREQUENCY │
│ ══════════════════════════════════════════════════════════════════════════ │
│ ┌─────────────────────┐ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ QUARTERLY TESTS │ │ MONTHLY TESTS │ │ CONTINUOUS TESTS │ │
│ │ (External Red Team)│ │ (Internal Team) │ │ (Purple Team) │ │
│ │ │ │ │ │ │ │
│ │ • Full scope tests │ │ • Targeted scenarios│ │ • Detection tuning │ │
│ │ • All platforms │ │ • Specific platforms│ │ • Blue team drills │ │
│ │ • 2 weeks duration │ │ • 2-3 days duration │ │ • Weekly scenarios │ │
│ │ • Formal report │ │ • Quick report │ │ • Iterative improve │ │
│ └─────────────────────┘ └─────────────────────┘ └─────────────────────┘ │
│ │
│ TESTING TYPES │
│ ══════════════════════════════════════════════════════════════════════════ │
│ │
│ External Black-Box Testing (Quarterly) │
│ • Zero knowledge of infrastructure │
│ • Simulates real attacker perspective │
│ • Validates perimeter defenses, detection capabilities │
│ │
│ Internal Gray-Box Testing (Monthly) │
│ • Standard user credentials (no admin) │
│ • Simulates insider threat, compromised user │
│ • Tests lateral movement, privilege escalation │
│ │
│ Purple Team Exercises (Weekly/Bi-weekly) │
│ • Collaborative Red + Blue team │
│ • Focus on detection tuning, response improvement │
│ • Iterative testing of specific attack paths │
│ │
│ Compliance-Driven Testing (Annual + As Required) │
│ • PCI-DSS ASV scans (quarterly) │
│ • PCI-DSS penetration test (annual) │
│ • SOC2 Type II validation (annual) │
│ • ISO 27001 audit support (annual) │
│ │
└─────────────────────────────────────────────────────────────────────────────────┘
1.3 Testing Scope & Boundaries¶
1.3.1 In-Scope Systems¶
| Platform Category | Systems Included | Attack Surfaces | Test Depth |
|---|---|---|---|
| SD-Access Fabric | DNAC 2.3.7.x, ISE 3.3/3.4 (14 nodes), fabric edge switches, fabric border nodes, wireless controllers | 802.1X bypass, SGT manipulation, rogue AP, VLAN hopping, MAC spoofing | DEEP: Full attack simulation, exploit attempts allowed (non-destructive) |
| SD-WAN | vManage 20.15.x, vSmart controllers, vBond orchestrators, 40 WAN Edge routers (ISR/ASR platforms) | vManage unauthorized access, OMP route injection, IPsec tunnel hijacking, certificate theft | DEEP: Management plane, control plane, data plane testing |
| Webex Collaboration | Webex Calling (3,200 users), Webex Contact Center (175 agents), SIP trunks, CUCM (migration state), Expressway-C/E | SIP trunk hijacking, toll fraud simulation, meeting enumeration, conference bridge abuse | MEDIUM: Test call scenarios, avoid actual toll fraud charges |
| Zero Trust Platform | XDR/SecureX, Duo Beyond (3,200 users), FTD firewalls (18 units), Umbrella SASE, AMP for Endpoints | Credential bypass, MFA fatigue, device trust bypass, firewall policy bypass, DNS hijacking | DEEP: Authentication flows, policy enforcement, threat detection |
| AI/ML Platforms | Splunk Enterprise (100GB/day), DNAC Deep Network Model, ThousandEyes, AppDynamics, MLTK models | API exploitation, data poisoning attempts, model inference attacks, unauthorized data access | MEDIUM: API security, access controls (avoid production ML model corruption) |
| Cloud Services | Azure AD, M365, Salesforce, ServiceNow, AWS (limited workloads) | SSO bypass, OAuth token theft, cloud tenant enumeration, API abuse | MEDIUM: Test authentication, authorization (avoid cloud service disruption) |
| End-User Devices | Windows 10/11 endpoints (12,000), macOS devices (800), mobile devices (iOS/Android 2,500) | Malware execution, credential harvesting, endpoint protection bypass, USB attack vectors | MEDIUM: Test on isolated endpoints, avoid production user disruption |
1.3.2 Out-of-Scope / Restricted¶
PROHIBITED ATTACKS (Will Cause Production Outage): - Denial-of-Service (DoS/DDoS) attacks on production infrastructure - Resource exhaustion attacks (CPU/memory/storage flooding) - Database deletion or corruption (production databases) - Active Directory domain controller attacks (e.g., DC compromise, Kerberos Golden Ticket) - BGP route injection to ISPs (affects external connectivity) - Physical destruction of equipment - Actual toll fraud (international calls generating charges >$100) - Ransomware deployment (even in test mode)
RESTRICTED TESTING (Requires Special Approval): - Production database queries (read-only, CISO approval) - IoT/OT systems (manufacturing, building controls - separate approval required) - Third-party SaaS platforms (vendor permission required) - Customer-facing systems during business hours (after-hours only) - Privileged account compromise simulations (Domain Admin, Enterprise Admin - tabletop only)
1.4 Success Metrics & KPIs¶
Test Execution Metrics:
| Metric | Measurement | Target | Actual (Baseline) |
|---|---|---|---|
| Mean Time to Detect (MTTD) | Time from attack initiation to first alert | <15 minutes | 45 minutes |
| Mean Time to Respond (MTTR) | Time from alert to containment action | <30 minutes | 2-4 hours |
| Detection Rate | Percentage of attack techniques detected | >85% | 68% |
| False Positive Rate | Alerts triggered without actual attack activity | <5% | 12% |
| Lateral Movement Containment | Time to detect/block lateral movement after initial compromise | <10 minutes | 60+ minutes |
| Privilege Escalation Detection | Ability to detect unauthorized privilege escalation | >90% | 65% |
Vulnerability Metrics:
| Severity | Definition | SLA Remediation | Current Count | Target |
|---|---|---|---|---|
| Critical | Remote code execution, domain admin compromise, direct data breach | 7 days | 0 | 0 |
| High | Privilege escalation, authentication bypass, significant data exposure | 30 days | 3 | 0 |
| Medium | Information disclosure, configuration weaknesses, limited access | 90 days | 12 | <5 |
| Low | Best practice violations, minor exposures | 180 days | 25 | <10 |
Purple Team Effectiveness:
| Metric | Description | Target |
|---|---|---|
| Detection Coverage Improvement | Increase in MITRE ATT&CK technique detection after purple team exercises | +15% per quarter |
| Playbook Execution Speed | Reduction in automated playbook execution time | -20% per quarter |
| Alert Tuning | Reduction in false positives through collaborative refinement | -30% per quarter |
1.5 Testing Team Structure¶
┌─────────────────────────────────────────────────────────────────────────────────┐
│ ABHAVTECH PENETRATION TESTING TEAMS │
├─────────────────────────────────────────────────────────────────────────────────┤
│ │
│ RED TEAM (Offensive Security) │
│ ══════════════════════════════════════════════════════════════════════════ │
│ ┌────────────────────────────────────────────────────────────────────┐ │
│ │ INTERNAL RED TEAM (3 FTE) │ │
│ │ • Lead Penetration Tester (OSCP, OSWP, GPEN) │ │
│ │ • Network Security Tester (CCNP Security, CEH) │ │
│ │ • Application Security Tester (OWASP, CSSLP) │ │
│ │ │ │
│ │ Responsibilities: │ │
│ │ • Monthly internal penetration tests │ │
│ │ • Purple team exercise execution │ │
│ │ • Social engineering campaigns │ │
│ │ • Custom exploit development (zero-day research) │ │
│ └────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌────────────────────────────────────────────────────────────────────┐ │
│ │ EXTERNAL RED TEAM (Quarterly Engagement) │ │
│ │ • Third-party security firm (e.g., Mandiant, CrowdStrike Services)│ │
│ │ • Fresh perspective, unbiased assessment │ │
│ │ • Advanced persistent threat (APT) simulation │ │
│ │ • Compliance-driven testing (PCI-DSS, SOC2) │ │
│ └────────────────────────────────────────────────────────────────────┘ │
│ │
│ BLUE TEAM (Defensive Security) │
│ ══════════════════════════════════════════════════════════════════════════ │
│ ┌────────────────────────────────────────────────────────────────────┐ │
│ │ SOC ANALYSTS (12 FTE, 3 Shifts) │ │
│ │ • Tier 1: Alert triage, initial investigation │ │
│ │ • Tier 2: Incident response, threat hunting │ │
│ │ • Tier 3: Forensics, advanced threat analysis │ │
│ │ │ │
│ │ Responsibilities: │ │
│ │ • 24x7 monitoring (XDR, Splunk, DNAC, ISE) │ │
│ │ • Incident response playbook execution │ │
│ │ • Purple team exercise defense │ │
│ │ • Detection rule tuning │ │
│ └────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌────────────────────────────────────────────────────────────────────┐ │
│ │ NETWORK ENGINEERING (6 FTE) │ │
│ │ • SD-Access engineers (DNAC, ISE, fabric troubleshooting) │ │
│ │ • SD-WAN engineers (vManage, OMP, IPsec tunnels) │ │
│ │ • Security engineers (FTD, Umbrella, Duo) │ │
│ │ │ │
│ │ Responsibilities: │ │
│ │ • Configuration review and hardening │ │
│ │ • Vulnerability remediation │ │
│ │ • Purple team technical support │ │
│ └────────────────────────────────────────────────────────────────────┘ │
│ │
│ PURPLE TEAM (Collaborative) │
│ ══════════════════════════════════════════════════════════════════════════ │
│ • Weekly/bi-weekly exercises combining Red + Blue teams │
│ • Focused on specific MITRE ATT&CK techniques │
│ • Iterative improvement: Attack → Detect → Tune → Retest │
│ • Knowledge transfer: Red team teaches Blue team attack methods │
│ • Metrics-driven: Track detection improvements over time │
│ │
└─────────────────────────────────────────────────────────────────────────────────┘