Pen Testing and Vulnerability Scanning
      Back to home
      1. Knowledge Base
      2. Cyber Essentials FAQ
      3. Pen Testing and Vulnerability Scanning

      Usable IP Addresses for Scanning

      What external addresses do I need to scan for Cyber Essentials / Pen Testing, etc

      This is a good question and can differ between Cyber Essentials and Pen Testing.

      In Cyber Essentials, we will enumerate and vulnerability assess your disclosed IP addresses (those that you own and control) and suggest (pen test) /require (Cyber Essentials) that this includes the entire range of IP addresses you have.

      Thus, for Cyber Essentials, please provide us with the entire range of IP addresses you own and, most importantly, control.

      • Your office locations where you own the connection (not a managed service office)
      • Any data centre IP addresses for services your systems/servers provide, including any per-server IP addresses allocated to devices; anything you have in the business that is externally accessible from the Internet. 

      When we are Pen Testing, we recommend the same, but for cost reasons (not for good security practice), you may want to include only those with enabled services. Ideally, you would like to know if there are any risks on all IPs, so we suggest including them.

      You CANNOT scan your employee's external IP addresses of their homes without written and recorded consent. Also, it's likely the IP addresses would be dynamic (changing), so you cannot be sure who you are scanning without constantly checking, so we would not recommend this anyway.

      SUBNET or CIDR NOTATION

      You may have been advised that you have a particular range of IP addresses using a CIDR notation; therefore, for your information, these are shown below:

      CIDR TOTAL IPS USABLE IPS MASK NOTES
      /32 1 1 255.255.255.255  
      /31 2 0 255.255.255.254  
      /30 4 2 255.255.255.252  
      /29 8 6 255.255.255.248  
      /28 16 14 255.255.255.240  
      /27 32 30 255.255.255.224 Unusual allocation
      /26 64 62 255.255.255.192 Unusual allocation
      /25 128 126 255.255.255.128 Unlikely external here
      /24 256 254 255.255.255.0 Unlikely external here

      It is also worthy of note that there are specific ranges that are reserved for internal use, and those are:

      • CLASS A: 10.0.0.0/8 --> 10.0.0.0 to 10.255.25.255 (24-bit block)
      • CLASS B: 172.16.0.0/12 --> 172.16.0.0 to 172.31.255.255 (20-bit block)
      • CLASS C: 192.168.0.0/16 --> 192.168.0.0 to 192.168.255.255 (16-bit block)

      These above ranges are not publically routable on the internet.

      You can check your external IP address by clicking here. We cannot advise you on your subnet mask or CIDR range but can confirm your actual "break-out" address.