What external addresses do I need to scan for Cyber Essentials / Pen Testing, etc
This is a good question and can differ between Cyber Essentials and Pen Testing.
In Cyber Essentials, we will enumerate and vulnerability assess your disclosed IP addresses (those that you own and control) and suggest/require/recommend that this include the entire range of IP addresses you have.
Thus, for Cyber Essentials, please ensure you provide us with the entire range of IP addresses you have, own, and, most importantly, control.
- Your office locations where you own the connection (not a managed service office)
- Any data centre IP addresses for services your systems/servers provide, including any per-server IP addresses allocated to devices.
When we are Pen Testing, we recommend the same, but for cost reasons (not for good security practice), you may include only those with enabled services. Ideally, you want to know any risks on all IPs, so we suggest including all of them.
SUBNET or CIDR NOTATION
You may have been advised that you have a particular range of IP addresses using a CIDR notation; therefore, for your information, these are shown below:
| CIDR | TOTAL IPS | USABLE IPS | MASK | NOTES |
| /32 | 1 | 1 | 255.255.255.255 | |
| /31 | 2 | 0 | 255.255.255.254 | |
| /30 | 4 | 2 | 255.255.255.252 | |
| /29 | 8 | 6 | 255.255.255.248 | |
| /28 | 16 | 14 | 255.255.255.240 | |
| /27 | 32 | 30 | 255.255.255.224 | Unusual allocation |
| /26 | 64 | 62 | 255.255.255.192 | Unusual allocation |
| /25 | 128 | 126 | 255.255.255.128 | Unlikely external here |
| /24 | 256 | 254 | 255.255.255.0 | Unlikely external here |
It is also worthy of note that there are specific ranges that are reserved for internal use, and those are:
- CLASS A: 10.0.0.0/8 --> 10.0.0.0 to 10.255.25.255 (24-bit block)
- CLASS B: 172.16.0.0/12 --> 172.16.0.0 to 172.31.255.255 (20-bit block)
- CLASS C: 192.168.0.0/16 --> 192.168.0.0 to 192.168.255.255 (16-bit block)
These above ranges are not publically routable on the internet.