The bit of information that's missing here is what are you trying to pentest, and by extension how much do you want to pay your pentest firm? For some folks a pentest means starting with zero information and trying to get IP packets passed a firewall or IDS's undetected. Basically pentesting layer 3 infrastructure. For other folks a pentest is purely an application level exercise, you give the pentester an account on your customer portal for instance, a full network diagram, and let them try things like SQL injection or cross site scripting at the applications layer. Your pentest firm can start with zero information and work all the way up to an application level attack, but that's costly and time consuming. Providing them some information is a way to short circuit the process. If you (or appropriate company representative) haven't already discussed the pros and cons with your pentest firm you're off on the wrong foot. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/