Getting started guide

Whether you're going through a Test Trial or purchased a vPenTest subscription, the steps below will help you get started with our platform. Happy PenTesting!

Overview

Welcome to the vPenTest User Guide. Before we get started, let's cover some terms that will be used in and throughout vPenTest:

Company: A company is basically your client. If you're performing an assessment for Walgreens, then this is your "Company" in the vPenTest portal.
My User: These are your consultants/coworkers that will have access to the portal. They will be able to schedule assessments, etc.
Company User: These are the user accounts that belong to the company (aka your client's user accounts). You can invite these users into the portal and they'll only have the ability to watch their assessments, view their company's trending vulnerabilities, and see reports that you release to them. They won't be able to schedule any assessments
Agent: An Agent is simply an internal virtual machine or physical device that vPenTest will connect to in order to perform a penetration test on-prem or in the cloud.
Schedules: A schedule is simply a schedule for your security assessment. You can create scheduled assessments to run assessments based on your preferred time and date preferences.

NOTE If you are performing an internal security assessment, you will need to have an Agent deployed. Refer to IP Estimator prior to continuing with this process.

Step 1: Create a company

A company is essentially a client that you’d like to perform a security assessment on.

When creating a company, it’s important to fill out as many details as possible.

Things such as the company’s domain name can be used for open source intelligence (OSINT) gathering.

Follow these steps to create a company:

Click Companies in the left navigation menu.
Click the New Company button.
Fill out the New Company pop-up modal. The following options are presented:

Field	Description
Full Name	The full name of the company.
Short Name	The company’s abbreviation (if any). If none exists, you can use the company’s full name.
Industry	Provide your client’s industry category.
Domain	Used for Open Source Intelligence (OSINT) gathering, this textbox should contain the domain name of the company.
Support Email	Optional field, but can be used to send support-related information to the client if necessary (e.g., Agent offline, etc.).
Time Zone	Provide the company’s time zone.
Use Vonahi Security branded deliverables	If you ever want to use Vonahi Security branded deliverables, you can select the checkbox for “Yes”. Otherwise, the reports for this company will be branded using your company’s branding (e.g. logo, colors, etc.).

NOTE If you are conducting an internal security assessment, such as an internal penetration test or vulnerability assessment, then filling out the second tab could be helpful by providing an email address as opposed to memorizing a UUID generated by the Agents.

EXAMPLE For example, for CompanyA, you could create an alias here called vPenTest@companya.com. For CompanyB, you can use vPenTest@companyb.com. When you go to register an Agent, you'll simply provide these email addresses for their respective companies, and vPenTest will automatically associate the Agents to the appropriate companies.

It should be noted that this value must be unique, otherwise you'll end up registering Agents to the wrong companies.

Step 2: Schedule an assessment

A Scheduled Assessment is where you’ll go to configure the necessary requirements for your client’s security assessment. Follow the steps below to schedule an assessment:

Click Assessments in the left navigation.
Next, you’ll be presented with a page that allows you to select the Current Assessments or the Future Assessments tab. On the Future Assessments tab, click the New Scheduled Assessment button.
Fill out the 6-Step Assessment wizard. The wizard that pops up will guide you through setting up your assessment for your client.

Step number	Step name	Instructions
1	Project Details	Select the company that you created in the first part of this guide. Once you select a company you’ll notice that a list of security assessments will populate on the right side of the page. While you may hover the i icon to get more information about each assessment, let’s summarize what each assessment consists of: A penetration test excludes a vulnerability assessment. A penetration test replicates the entire role of a consultant by attempting to identify security weaknesses that could be used directly in conjunction with an attack against the environment. A vulnerability assessment excludes a penetration test, and only attempts to identify security vulnerabilities based on the publicly documented and known security vulnerabilities. A security assessment includes both a penetration test and a vulnerability assessment. An internal and external security assessment follows the same methodology, with the exception of the external penetration test performing open source intelligence (OSINT) gathering. OSINT gathering is performed to attempt identifying information on the public Internet that could be used to conduct an attack against the organization. Such information could include disclosed usernames in files’ metadata, employee names, doppelganger domains, and more. NOTE If you opt to perform an internal assessment of any kind, you’ll need to first deploy a vPenTest Agent, which you can find in the Support Info page.
2	Frequency	Next, you’ll select the frequency. For the purpose of the trial, select One Time. The calendars will appear and you’ll be able to select a date of your choosing.
3	Scan Times	Select a time zone for your customer. Then, select a time you’d like for the assessment to start. You can either click on a day, such as Monday, to select the entire day, or you can click on a column, such as 3, to select 3 PM (or 3 AM) for every day of the week.
4	IP Range	In this step, provide the IP addresses that you’d like to perform an assessment on. You must either provide single IP addresses, CIDR notation, or IP address ranges in the following format: 192.168.1.1-255. You must also separate these IPs/ranges either by commas or new lines. You may also provide IP addresses to be excluded from all testing. NOTE Domains and sub-domains provided in the company’s profile will only be used for OSINT and not automatically included in this scope unless explicitly added.
5	Notifications	In this step, you have the option to subscribe to notifications as the assessment progresses. You can either subscribe users who have been registered in the portal, or you can simply provide their email addresses. See below for a list of project notifications and their meanings: Assessment Activities: As the penetration test and/or vulnerability assessment moves from phase to phase, such as Host Discovery to Enumeration, you’ll be notified by email. New report finding added: As new penetration test findings get added to the assessment, you’ll be notified with a brief summary of what was added to the assessment. Vulnerability count changes: As new vulnerabilities are added (from the vulnerability assessment), you’ll be notified on how many vulnerabilities were recently added to the assessment.
6	Summary	On the final screen (step 6), you can see a finalized summary of the configuration options you’ve provided for the scheduled assessment.

Finally, click Finish and your assessment will be queued.
If you’ve selected for your assessment to start immediately, then your assessment will start 30 minutes after you've confirmed the scheduled assessment. For more information, refer to How soon can I start an assessment?
If you're looking to perform an internal assessment, your next step will be to deploy the vPenTest VM using the Ubuntu ISO within your client's internal network environment. For more information, refer to Deploying the Agent from an ISO.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!