Why should I whitelist IP-addresses for IPS, IDS and rate-limiting systems during a pentest?

In preparation for a pentest, we ask you to whitelist the IP-addresses, from which our researchers perform tests, for IDS, IPS and rate-limiting systems. This whitelisting should usually be set on the web server, web application and/or the firewall. With external hosting the hosting organization needs to be informed.

"Why would I deliberately make my web application less secure?" is a question that is often asked when we ask for a whitelisting.

IDS, IPS and rate-limiting systems often only delay because, for example, fewer requests per time unit can be fired on the web application. Or sometimes a lot of time has to be spent to adjust requests so that they are not recognized by the IDS/IPS systems. However, it is true that this security can be circumvented with enough time, which is why this is seen as a nice extra security layer, but the web application does not have to depend on it. Because the security investigations take place in a limited time-frame, it is important that these systems, if they are active, are temporarily deactivated for the IP-addresses of Web Security Scan in order to be able to investigate the primary security layer as effectively as possible.

Disabling IDS, IPS and rate-limiting systems is not a requirement, but therefore recommended.