🌐 Sherlocked Security – External Network Penetration Testing
Defend Your Perimeter Before Threat Actors Find the Cracks
📄 1. Statement of Work (SOW)
Service Name: External Network Penetration Testing
Client Type: SaaS, FinTech, eCommerce, Enterprises, Cloud-First Startups
Service Model: Manual + Automated Testing
Compliance Coverage: OWASP Top 10, ISO 27001, NIST 800-53, PCI-DSS, SOC 2, HIPAA
Testing Includes:
- Public IPs, DNS, Web Services
- VPNs, Firewalls, Proxies
- Email Infrastructure (SPF, DKIM, MX)
- Cloud Exposed Assets (S3, Azure Blob, GCP Buckets)
- SSL/TLS, HTTP/HTTPS Services
🧠 2. Our Approach (with Visual)
🔹 Real-World Attacker Simulation
🔹 Zero-Day & Known CVE Detection
🔹 Deep Reconnaissance + Exploitation
Visual Flow:
[Passive Recon] → [Asset Discovery] → [Vulnerability Scanning] → [Manual Exploitation] → [Risk Mapping] → [Reporting & Retesting]
🧪 3. Methodology (with Visual)
[Kickoff] → [OSINT & DNS Recon] → [Subdomain Enumeration] → [Port & Service Scanning] → [Banner Grabbing] → [SSL/TLS Checks] → [CVE Identification] → [Manual Exploitation] → [PoC Capture] → [Reporting & Retesting]
📦 4. Deliverables to the Client
- ✅ Risk Summary Matrix
- 🧾 Statement of Work (SOW)
- 📘 Technical Report with:
- Vulnerability Details & Risk Ratings (CVSS v3.1)
- IPs, Ports, and Protocols Affected
- Exploitation Proofs
- Suggested Remediations + External References
- 📊 Attack Surface Map
- 🎥 Executive Summary Call (Optional)
- 🧑💻 Slack/Teams Support for Fixes
- 🔁 One Free Retesting Round
- 🎓 Post-fix Penetration Certificate
🤝 5. What We Need from You (Client Requirements)
- ✅ Public IP ranges & domain names
- ✅ Time window for live testing
- ✅ Any IPs/domains out-of-scope
- ✅ Cloud asset inventory (S3 buckets, subdomains)
- ✅ POC for incident alerts/escalations
- ✅ WAF/Firewall config details (if applicable)
🧰 6. Tools & Technology Stack
- 🔍 Nmap, Masscan
- 🕵️♂️ Amass, Subfinder, Assetfinder
- 🔐 Burp Suite, Dirsearch, Nikto
- 🔬 Nessus, Nuclei
- 📂 SSLyze, testssl.sh
- 🛠️ Custom scripts for CVE exploit checks
- 🔎 Shodan/Censys for external OSINT
- 🧠 AI-powered misconfiguration scanner
🚀 7. Engagement Lifecycle (Lead → Closure)
1. Intro Call → 2. Scope Finalization → 3. SoW + NDA → 4. Asset Enumeration → 5. Testing Phase (3–7 Days) → 6. Draft Report → 7. Fix Walkthrough (Optional) → 8. Final Report + Certification
🌟 8. Why Sherlocked Security? (Our USP)
| Feature | Sherlocked Advantage |
|---|---|
| 🌐 Deep Recon & Asset Fingerprinting | Uncover hidden & legacy assets |
| 🧪 Exploitation-Focused | Validate vulnerabilities, not just detect |
| 📘 Dev/Infra Friendly Reports | PoCs, Fixes, CVSS Scores included |
| 🔁 Retest Included | Confirm patch effectiveness |
| ⚙️ Live Support | Fix guidance via Slack/Teams |
| 🎓 Certification | Issued post-secure validation |
📚 9. Real-World Case Studies
🔓 Forgotten Admin Portal → Full Takeover
Issue: Unlisted admin panel on subdomain
Vuln: Default creds + outdated PHP version
Impact: Remote command execution
Fix: Auth added + infra isolated + version upgraded
🧪 S3 Bucket Misconfiguration
Client: SaaS Startup
Finding: World-readable S3 bucket exposing internal docs
Outcome: Bucket permissions tightened + audit rules added
🛡️ 10. SOP – Standard Operating Procedure
- Kickoff Meeting & Scope Setup
- OSINT & Asset Enumeration
- Port/Service Discovery
- Web Tech Fingerprinting
- SSL/TLS Inspection
- CVE/Zero-Day Checks
- Manual Validation & PoC
- Draft Report + Fix Support
- Retest & Verification
- Final Report + Certification
📋 11. External Penetration Checklist (Preview)
- Perform external asset discovery.
- Identify open ports and exposed services.
- Test for misconfigured services and default creds.
- Analyze DNS and subdomain takeovers.
- Conduct banner grabbing and service fingerprinting.
- Exploit known CVEs in outdated software.
- Assess firewall and intrusion detection evasion.
- Check for exposed development/test environments.
- Perform brute-force and credential stuffing.
- Document publicly accessible sensitive data.