Skip to content

Just what is a Scoping Call?

One of the major differences between working corporate security vs consulting is the interaction with customers. When you work in a SOC or CIRT, most of your work is done with members of your team and the occasional exec who wants to see what you’re up to. When you work as a consultant, things change drastically.

When I first started my position as a DFIR consultant, the idea of a scoping call was foreign to me. I understood we would have to interact with customers, but knowing how to talk with them, what questions to ask and how to get them to trust you with their sensitive data was an entirely new skill I had to learn. Fortunately, the things you need to know and do aren’t that difficult to master and hopefully this list can get you started

  1. Be polite and considerate. Sure, its exciting for us to hear about how badly the customer is pwn’d and what data an attacker has stolen. But think about it from the victims point of you, this is probably the worst day ever for their company. Make sure you use the appropriate tone when talking with them and a little empathy with what they are facing goes a long way to build trust.
  2. Have your questions written down ahead of time. Whenever I’m on a scoping call, whether its for an data breach, threat hunt or even a pentest engagement, I always have my questions written down before the call starts. This helps keep the call on track and also makes sure I don’t forget a piece of crucial information.
  3. Have your Master Service Agreement (MSA) and Statement of Work (SOW) prepped ahead of time. If the call goes well and the customer wants to utilize your company for services, the next step is to have these documents reviewed by your legal counsel and then sent to the customer for review and signing. Typically, from the time my phone rings to the time I’m at the customers site only a few days has passed. Remember, the customer has an active breach or needs your services ASAP, having these documents prepped and ready to go can save you valuable time.
  4. Don’t over scope or under scope your hours. This part can be tricky, you want to make sure you tell the customer a reasonable amount of hours for your work, but you don’t want to underestimate the actual amount of time you will spend on their case. Whenever we speak with customers regarding an IR engagement, we always start with 40 hours minimum and then expand from there as needed. In some instances, especially breaches that expand beyond the initial scope, you can work with your legal counsel and the customer to have them purchase additional hours.
  5. Ask good questions. This goes back to point number 1, have your questions written down. Every single IR scoping call I am on, I ask a standard set of questions.
    • What is the nature of the incident?
    • When did you first notice the activity?
    • How many systems are impacted?
    • What operating systems do you use?
    • Are there AV, Firewall, IDS or other logs we can look at?
    • Have you contacted law enforcement?
    • What actions have you taken so far?
    • What are your goals for the incident response?
    • How soon do you need someone onsite?

Like any other skill in Infosec – leading a good scoping call takes practice and planning. Hopefully, those notes can help you get started or improve where you are today

Leave a Reply

Your email address will not be published. Required fields are marked *