Why should I whitelist IP-addresses for IPS, IDS and rate-limiting systems during a pentest?

In preparation for a pentest, we ask you to whitelist the IP addresses, from which our researchers perform tests, for IDS, IPS and rate-limiting systems. Whitelisting should usually be set on the web server, web application and/or the firewall. With external hosting, the hosting organization needs to be informed about this.

"Why would I deliberately make my web application less secure?" is a question that is often asked when we ask for whitelisting.

IDS, IPS and rate-limiting systems often only cause delays because, for example, fewer requests per time unit can be send to the web application. Sometimes much time has to be invested in adjusting requests, so that they are not recognized by IDS/IPS systems. However, this security measure can be circumvented with enough time available, which is why it should be seen only as an adequate extra security layer, but the web application itself should not have to depend on it. Since security researches take place in a limited time-frame, it is important that these systems, if they are active, are temporarily deactivated for the IP addresses used for testing, in order to make it possible to effectively investigate the primary security layer.

Disabling IDS, IPS and rate-limiting systems is not a requirement, but it is recommended for better and more complete research results.