Penetration Testing Scoping Playbook

Executive Summary

This playbook outlines a structured process for scoping a penetration test to ensure clear objectives, well-defined boundaries, and actionable outcomes. It guides security consultants through client engagement, scope definition, methodology selection, constraints identification, deliverables planning, and post-scoping activities. The process is designed to align with client needs, comply with legal and ethical standards, and deliver measurable value through thorough preparation and documentation.

Scoping Checklist

The following checklist summarizes key actions to complete during the pentest scoping process.

• Client Engagement
  • Identify primary client contact.
  • Define client objectives.
  • Confirm legal authorization.
• Scope Definition
  • List in-scope assets.
  • Set scope boundaries.
  • Obtain client approval.
• Methodology Selection
  • Select test types.
  • Choose testing tools.
  • Align methodology with client needs.
• Constraints Identification
  • Define time constraints.
  • Identify technical limitations.
  • Document all constraints.
• Deliverables Planning
  • Plan report format.
  • Plan client presentation.
  • Confirm deliverables with client.
• Post-Scoping Activities
  • Finalize scope document.
  • Schedule test kickoff.
  • Archive scoping records.

1. Client Engagement

Establish clear communication and alignment with the client to set the foundation for the pentest.

Identify Primary Client Contact

• Confirm the primary point of contact for scoping discussions.
• Document their name, role, and contact details (e.g., email, phone).

Define Client Objectives

• Discuss and document the client’s goals (e.g., compliance, vulnerability identification, resilience testing).
• Clarify whether the pentest is driven by specific risks, regulations, or business needs.

Confirm Legal Authorization

• Obtain written authorization from the client to conduct the pentest.
• Ensure the agreement specifies the scope, timeline, and legal protections.
• Verify compliance with relevant laws (e.g., GDPR, HIPAA if applicable).

2. Scope Definition

Define the boundaries and targets of the penetration test to ensure focus and clarity.

List In-Scope Assets

• Identify systems, networks, applications, or devices to be tested (e.g., IP ranges, URLs, APIs).
• Document asset details, including ownership and criticality.

Set Scope Boundaries

• Specify out-of-scope assets to avoid unintended impacts (e.g., third-party systems, production servers).
• Define testing conditions (e.g., black-box, gray-box, white-box).

Obtain Client Approval

• Share the draft scope with the client for review.
• Address feedback and obtain formal sign-off on the scope document.
• Send a confirmation email to the client contact. Example:
  Subject: Confirmation of Penetration Test Scope for [Client Name] Dear [Client Contact], We have finalized the scope for the upcoming penetration test scheduled for [start date]. The scope includes: - In-Scope Assets: [e.g., IP range 192.168.1.0/24, web app at example.com] - Out-of-Scope Assets: [e.g., third-party cloud services] - Test Type: [e.g., gray-box, external network] - Timeline: [e.g., scoping completed by DD/MM/YYYY, testing from DD/MM/YYYY] Please confirm your approval or provide any feedback by [response deadline]. Let us know if you need further details or coordination. Best regards, [Your Name] [Your Organization] [Contact Information]
  Copy to Clipboard
• Log the confirmation and retain a copy for records.

3. Methodology Selection

Select the appropriate testing methodologies to align with client objectives and scope.

Select Test Types

• Determine the types of tests (e.g., network, web application, social engineering, physical).
• Align test types with client goals and asset types.

Choose Testing Tools

• Identify tools for scanning, exploitation, and reporting (e.g., open-source, commercial).
• Ensure tools comply with legal and client requirements.

Align Methodology with Client Needs

• Discuss methodology with the client to confirm expectations (e.g., non-disruptive testing).
• Document the agreed methodology, including tools and techniques.

4. Constraints Identification

Identify limitations that may impact the pentest to ensure realistic planning.

Define Time Constraints

• Confirm the testing window (e.g., specific dates, hours).
• Document any restrictions (e.g., no testing during business hours).

Identify Technical Limitations

• Note restrictions on testing methods (e.g., no DoS attacks, no password guessing).
• Identify systems with limited access or special configurations.

Document All Constraints

• Compile a list of time, technical, and other constraints (e.g., regulatory).
• Share constraints with the client to confirm agreement.

5. Deliverables Planning

Plan the outputs of the pentest to meet client expectations.

Plan Report Format

• Define the structure of the pentest report (e.g., executive summary, findings, recommendations).
• Specify formats (e.g., PDF, Word) and delivery methods.

Plan Client Presentation

• Schedule a presentation to discuss findings (e.g., in-person, virtual).
• Outline key points to cover (e.g., critical vulnerabilities, remediation steps).

Confirm Deliverables with Client

• Review planned deliverables with the client for alignment.
• Document any additional requirements (e.g., raw data, compliance forms).

6. Post-Scoping Activities

Finalize preparations and transition to the testing phase.

Finalize Scope Document

• Compile all scoping details into a final document.
• Obtain client sign-off on the finalized scope.

Schedule Test Kickoff

• Arrange a kickoff meeting with the client and testing team.
• Confirm communication protocols for during the test.

Archive Scoping Records

• Store all scoping documents (e.g., agreements, emails) securely.
• Ensure records are accessible for audits or future reference.

Additional Notes

This playbook aligns with industry best practices for penetration test scoping, ensuring a clear, compliant, and client-focused process.