Skip to content

Planning and Scoping a Penetration Testing Assessment

Planning Phase

Initial Client Meeting

  • Objective: Understand what the client aims to achieve with the penetration test.
  • Key Questions:
  • What are the key assets you're concerned about?
  • What types of attacks or threats are you most concerned with?
  • Do you have any compliance requirements (e.g., PCI-DSS, HIPAA)?

Documentation Review

  • Objective: Review existing documentation to understand the network topology, application architecture, and other relevant details.
  • Key Deliverables:
  • Network diagrams
  • Application architecture diagrams
  • Previous vulnerability assessments or pen test reports
  • Objective: Ensure that all legal requirements are met and permissions are granted.
  • Key Deliverables:
  • Signed contract
  • Non-disclosure agreement (NDA)
  • Permission to test forms

Scoping Phase

Define Scope

  • Objective: Clearly outline what is in-scope and out-of-scope.
  • Key Deliverables:
  • List of target IP addresses
  • List of target applications
  • User roles for testing authenticated areas

Determine Timeframe

  • Objective: Decide the duration of the test.
  • Key Questions:
  • When will the test start and end?
  • Are there any blackout periods during which testing should not occur?

Resource Allocation

  • Objective: Decide who will perform the test and what tools will be used.
  • Key Deliverables:
  • Names and credentials of the penetration testers
  • List of tools that will be used

Success Criteria

  • Objective: Define what will constitute a successful test.
  • Key Deliverables:
  • Expected outcomes
  • Metrics for success (e.g., percentage of high-risk vulnerabilities identified)

Finalize Plan

  • Objective: Consolidate all the above information into a formal test plan.
  • Key Deliverables:
  • Penetration Test Plan document
  • Client approval on the plan

By spending ample time on planning and scoping, you're laying a solid foundation for a successful penetration test. This ensures that both the client and the testing team have clear expectations and guidelines, reducing the likelihood of misunderstandings or scope creep.