Teams will be allowed to customize their Virtual Desktop Infrastructure (VDI) systems by using any publicly available tools. This means that anything which can be freely downloaded without requiring a signup or account may be used. Although real-world penetration testing firms may have proprietary tools they use, the spirit of this rule is to keep the testing environment level for all teams. For example, the following tools would be allowed:
Scripts or programs downloaded from publicly available, well known github repositories
Executables available for direct download from a company website
Binaries included within the repositories of major operating systems and distributions
Tools or scripts found within the "client" networks
The following forms of tools would not be allowed:
Items stored on private repositories or those made public but unknown or obfuscated, bypassing the "public" requirement
Tools requiring signing up for an account on a vendor's website, even if anyone is allowed to create an account
Scripts pre-generated by teams and placed on Internet storage locations, even if public
For other systems in the environment, teams should coordinate with the client, as they may not appreciate having additional tools installed on critical servers; however, they may not mind either.