icon_CloudMgmt icon_DollarSign icon_Globe icon_ITAuto icon_ITOps icon_ITSMgmt icon_Mainframe icon_MyIT icon_Ribbon icon_Star icon_User icon_Users icon_VideoPlay icon_Workload icon_caution icon_close s-chevronLeft s-chevronRight s-chevronThinRight s-chevronThinRight s-chevronThinLeft s-chevronThinLeft s-trophy s-chevronDown

Mainframe Penetration Test


This Service will test the overall configuration security controls in the Customer’s IBM® z Systems® environment to identify external or internal vulnerabilities, which could compromise the integrity and availability of systems or data.

What you get:

BMC will perform the following for one LPAR running IBM® z/OS® and an External Security Manager* (ESM):

  • Discuss the scope and outline the high-level plan for the test
  • Perform a White Box* penetration test that includes privilege escalation attempts using various user ids provided by Customer
  • Assess the security configuration and controls defined in the ESM
  • Conduct data gathering on the ESM and z/OS and perform analysis
  • Execute z/OS penetration test
  • Analyze penetration test results
  • Generate Mainframe Penetration Test Report
  • Provide encrypted deliverables to Customer


  • If Customer asked for suggestions on third party equipment, software and services, BMC makes no representation or warranty whatsoever regarding such equipment, software and services or that the same shall be fit for the Customer’s purpose.

Customer will be responsible for:

  • Providing two basic time sharing option (TSO)* user accounts
  • Providing remote access to Customer’s mainframe via Virtual Private Network (VPN) or Virtual Desktop Interface (VDI)
  • Maintaining and ensuring back-ups and recovery files
  • Providing instructions on how to connect to the LPAR including such details as:
    • IP address
    • Port number
    • Standard user ID
    • SSL certificate details, if required

Deliverables: Using BMC’s standard methodology and templates, the following Deliverables are in scope for this project and will be delivered:

  • Mainframe Penetration Test Report

Completion Criteria: BMC will have completed these Consulting Services when the in-scope Consulting Services have been completed and the Deliverables have been delivered to the Customer Project Manager.


Prior to the redemption of this service, Customer must provide advanced notification of internal security processes that require BMC to enter into any special terms and conditions before gaining access to Customer’s infrastructure.

  • Customer has obtained the appropriate rights and permissions of any third parties for Customer to provide information relating to such third parties’ hardware, software and solutions and allow BMC to carry out the Services on their hardware, software and solutions that are in scope.
  • Customer will provide BMC with two mainframe accounts (RACF, ACF2 or TSS) defined to the ESM as a basic user. This user should have similar access to that of a mainframe application developer or other basic system user.
  • Customer will provide hands-on-keyboard access to the mainframe for BMC consultants.

Additional information:

  • Estimated Duration: 6-8 weeks
  • In-scope Product: BMC AMI Security
  • Service Type: Advisory & Planning
  • Availability: Active
  • Success Service Code: BMSS_PENT_003
  • Date Last Updated: 12/28/2023

z/OS, z Systems, and IBM are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both.

Getting Started Is Easy

Service Highlights..