When setting up for a penetration test, there’s a question to be discussed between the client and the tester: Should the IP address of the pentesters’ systems be added to an “allow list” to bypass intrusion prevention systems (IPS) and/or web application firewalls (WAFs)? As counterintuitive as it might sound, allowing your pentest provider through your additional security controls can sometimes deliver the most accurate and valuable results for your security.
Here’s why that’s often the case, and when it makes sense to let pentesters skip the usual guardrails.
What are IPS and WAF?
First off, a quick breakdown. IPS systems and WAFs are in place to detect and block potential threats based on unusual behavior patterns. They react to classic signs of an attack like port scans, SQL injection attempts, or bursts of automated requests (e.g. when searching for known vulnerabilities). When these systems pick up what they consider “suspicious” activity, they often respond by rate-limiting the traffic or blocking the source IP address, sometimes for a while — sometimes entirely. And that’s generally what we want them to do. But in the case of a pentest, it can get in the way of what we’re really after.
Pentesters have a limited amount of time — attackers don’t
The issue with IPS and WAF blocking pentesters boils down to the duration of the assessment. In real-world attacks, hackers have all the time they need. They can slow down their efforts, sending a couple of requests over days or weeks to avoid detection. Pentesters, however, are typically hired for a short time window — maybe just a few days. Blocking their IP for even a couple of hours could mean delays, missed vulnerabilities, and a general reduction in the test’s effectiveness.
With allow listing, pentesters can conduct a focused, in-depth assessment of your application or infrastructure within the scope without the stop-and-start delays. It enables them to explore potential vulnerabilities within your systems as directly and comprehensively as possible — without spending valuable hours waiting for an IP block to lift or troubleshooting with the security team.
Usually we want to test your applications and infrastructure
Another point to consider is the focus of most penetration tests. Typically, the aim is to assess the security of an application or infrastructure itself, not the additional security layers in front of them. Testing a dedicated application/system is the most common reason why a customer hires us. The job of IPS and WAF is to reduce the likelihood of an attack reaching your critical assets, but they don’t inherently make those assets any safer themselves. In other words, a WAF can help to delay or deter threats and give you additional time for reacting to ongoing attacks, but it isn’t a guarantee of protection. By allowing pentesters direct access, you ensure that the test covers the real targets rather than just the “gatekeepers.”
Of course, there are cases when testing IPS or WAF is itself the goal. But this is typically a specialized scope that’s specifically agreed upon and not part of a standard application or infrastructure pentest.
Does allow listing make also sense for onsite and internal pentests?
While allow lists are most commonly considered in external pentests or when testing dedicated applications, they can also be useful in internal, onsite tests. During these assessments, it can sometimes make sense to exclude specific folders or locations from antivirus (AV) or endpoint detection and response (EDR) solutions’ scans. Here, as always, it depends on scope and what the client wants to achieve.
If the goal isn’t to test AV or EDR, but to focus on other defenses like SIEM detection, or to evaluate the effectiveness of incident response procedures, then adding an allow list can help streamline the assessment. This approach acknowledges a key fact: attackers may very well have ways to bypass these security solutions and run commonly known malware. So, if your priority is assessing detection capabilities elsewhere, bypassing AV or EDR saves time and lets the assessment concentrate on the chosen defenses.
Should you use allow lists on your pentests?
Ultimately, whether to allow list depends on the specific objectives of your pentest. If the priority is testing your core applications or infrastructure directly and you have limited time, allow listing can be a smart move to focus on the systems. It minimizes friction, reduces delays, and lets your pentesters deliver the most thorough analysis of the actual assets you want to protect.
Letting your pentesters work without interference simulates the attacker’s advantage of having unlimited time for circumventing security solutions, giving you a better sense of what vulnerabilities you need to fix to protect your assets directly.
