Please notify the Huntress Security Operations Center (SOC) Support team when you are planning or conducting Pen Testing.
The Huntress SOC maintains an "Assume Breach" posture and will treat all activity as a real threat until confirmed otherwise. Without proper preparation, this may lead to the unintended isolation of a system or all systems in an environment.
Pre-Pentesting Checklist
1. Set Up Host Isolation Exclusions (Required)
To prevent host or organization isolation during a planned pen test, you must set up a host isolation exclusion before testing begins.
Follow this guide for instructions on Excluding Endpoints or Organizations from Isolation.
Without isolation exclusions in place, our SOC will isolate hosts exhibiting malicious behavior regardless of any pentest notification.
2. Notify Huntress SOC Support
Contact the Huntress SOC Support team and provide the following information:
Pentest start date/time (include timezone)
Pentest end date/time (include timezone)
Organization being tested
Originating host(s) and/or internal IP address(es) where pentest activity will be coming from
Username(s) that will be used during the test (if known)
In-scope hosts/subnets for the test (if known)
The more detail you provide up front, the better our SOC can differentiate between your pentest activity and real threats across the rest of your environment.
3. Verify Huntress Agent Coverage
Ensure Huntress is installed on the endpoint where testing is originating
Ensure Huntress is installed on all endpoints where the testing will occur
Please Note
The Huntress SOC will continue to issue incident reports during the pentest. This is by design and demonstrates our detection and monitoring capabilities.
Any isolation exclusion must be manually removed following testing to resume full Huntress endpoint protection.
To maintain operational capacity for our partners, Huntress may deprioritize triage, analysis, and reporting for environments where the partner has confirmed a penetration test is ongoing.
Deploying Huntress after a penetration test has begun results in a visibility gap. The platform will lack the historical telemetry and retrospective detections necessary to analyze activities that occurred prior to the agent's installation.
If you choose not to provide pentest scope details, the SOC is instructed to treat all observed activity as a real threat. This means hosts may be isolated and incident reports will be sent as if a real intrusion is occurring.