How practical / realistic is it for when the pen testers to come in to clone applications/servers so they can run there pen test tools on a cloned environment that mirrors the live application and infrastructure for business continuity purposes? Say we have an asp.net IIS/SQL Server web app, but we dont want them ruinning thorough attack tools against the live system, is it easy to make a replica copy and let them run their tools and manual tests against a clone? Does cloning it mess up all the code, i.e. will the app not work if you essentially pick it up and move it? Any feedback welcome - management speak preferred.