The most successful security programs don’t start with scanning tools or kickoff calls. They start with alignment.

At Sprocket Security, we believe great onboarding sets the tone for a long-term partnership. When we provide clear guidance and new customers come prepared, we can move quickly from introductions to action. This accelerates time-to-value and delivers meaningful security insights faster.

Here’s what “ready for success” looks like at the start of your relationship with Sprocket.

1. Understand What to Expect from Testing

Before kickoff, our team ensures you’re familiar with the type of testing you’ve purchased, which may include:

  • External Network Penetration Testing
  • Internal Network Penetration Testing
  • Web Application Testing
  • Social Engineering
  • A combination of services

Each engagement type has different requirements, timelines, and technical considerations. When expectations are clear on both sides, onboarding becomes focused and efficient rather than exploratory.

2. Bring the Right Stakeholders to the Kickoff Call

One of the biggest drivers of onboarding speed is having the right people in the room.

We recommend including:

  • Scope approvers – Individuals authorized to confirm assets and boundaries
  • IT / Infrastructure – For IP gathering and internal testing appliance (dropbox) deployment
  • Dev / DevOps / Application Owners – For web application URLs and credential provisioning

When decision-makers and technical operators attend the kickoff call, we can resolve action items live and avoid the delays that come from relaying questions through multiple teams after the call. We recommend letting your internal attendees know what Sprocket does and what information or support they'll be asked to provide ahead of time.

3. Clearly Define Your Scope

Accurate scoping prevents delays and ensures we test exactly what matters most to your organization.

For External Testing

We’ll need:

  • Validation of in-scope assets

  • Identification of cloud assets (FQDNs are preferred)
    • Due to cloud IPs frequently changing or being shared across tenants

  • Confirmation that external IPs are static and/or owned by your organization

Clear scope translates to quicker validation and ensures a swift start to testing.

For Internal Testing

We’ll need:

  • Validation of in-scope assets
    • Internal subnets in scope for testing
  • Identification of any systems or network segments that should be excluded from testing
  • Confirmation that our dropbox for testing can reach all the subnets in scope

With proper internal scope validation ahead of time, once our dropbox is installed we can begin testing more promptly.

4. Prepare for Internal Testing (Dropbox Setup)

For internal pentesting, we deploy a secure dropbox that allows us to test your internal environment remotely. It's helpful to have someone from your infrastructure team available who can speak to deployment details.

To ensure smooth deployment, clients should be ready to confirm:

  • Will this be a virtual (VM) or physical dropbox?
  • Will it use DHCP, or does it require a static IP?
    • If static IP is needed, we’ll need:
      • Static IP
      • Netmask
      • Gateway
      • DNS servers

The dropbox, once installed, must be able to communicate outbound to a Sprocket-managed tunnel endpoint over standard ports. The specific endpoint and ports will be given prior to the kickoff call.

Ensuring these are permitted ahead of time prevents unnecessary troubleshooting.

For virtual deployments, clients should be able to provide:

  • Hypervisor type
  • Preferred file format (OVA is standard; VHD and AMI are supported)

Sprocket utilizes a standard build for all dropboxes. Those specifications are as follows:

  • Format: OVA, VHD, or AMI
  • OS: Ubuntu Server
  • CPU: 4
  • RAM: 8 GB
  • Storage: 128 GB

Most importantly, verify that the dropbox can reach all assets listed in scope. We recommend verifying subnet reachability after deployment, since connectivity issues are the most common cause of delays in internal testing.

5. Have Web Application Details Ready

For web application testing, preparation is key.

Sprocket will need:

  • Validated Fully-Qualified Domain Names ("FQDNs") or URLs for each application in-scope
  • Confirmation of the testing environment:
    • Production
    • Staging
    • Development
  • Provisioned credentials for each user role being tested

We recommend creating test accounts using the format:

pentest+[user]@sprocketsecurity.com

The [user] can be replaced with each user role being provisioned for Sprocket testing (ex: pentest+admin@sprocketsecurity.com, pentest+readonly@sprocketsecurity.com, etc.)

If IP whitelisting is required, let us know and we’ll provide the necessary details during kickoff.

When URLs and credentials are ready before kickoff, we can begin validation of those URLs and credentials immediately. This will put us in a great spot to begin testing sooner.

6. Alignment Creates Momentum

The goal of onboarding isn’t only to kick off penetration testing with Sprocket. We also want to build confidence in our partnership.

When:

  • Scope is validated
  • Stakeholders are aligned
  • Infrastructure requirements are understood
  • Credentials and assets are ready

We can transition from kickoff to testing with minimal friction. That’s how we deliver meaningful results faster.

The Bottom Line

Successful onboarding with Sprocket isn’t complicated, it’s collaborative. We're always refining our onboarding process to make the path from kickoff to active testing as smooth as possible for customers.

Preparation on both sides ensures:

  • Faster time to testing
  • Fewer surprises
  • Clear communication
  • Stronger security outcomes

When you come to kickoff ready, we don’t just start an engagement. We start a partnership. We very much look forward to working with you and assisting in the improvement of your security posture.