Penetration Testing Scoping

👤

Contact & Reference

Who should we coordinate with for this engagement?

Contact Name

Company / Organization

Email Address

Service Request Reference (optional)

📋

Included Activities

Mark which service areas apply to your engagement scope

ID	Service Area	Included
A	General Environment & Defensive Controls
B	External Network Penetration Testing
C	Internal Network Penetration Testing
D	Web Application Penetration Testing
E	Mobile Application Penetration Testing
F	API Penetration Testing
G	Social Engineering Assessment
H	Desktop Application Assessment
I	Security Assessment & Consultation
J	Compliance & Reporting

Activity A

General Environment & Defensive Controls

These questions help us understand your infrastructure at a high level and plan testing around your existing security stack.

1What is your current hosting and infrastructure setup?

On-premises · Cloud (AWS, Azure, GCP) · Hybrid · Multi-cloud

0/2000

2What are the primary operating systems and platforms in your environment?

Windows Server versions · Linux distributions · macOS

0/2000

3What defensive security tools are currently deployed?

Firewalls / WAF · IDS / IPS · EDR / Antivirus · SIEM · DDoS protection

0/2000

4Are there any systems or network segments that must be excluded from testing?

Production-critical systems · Third-party hosted services · Specific IP ranges

0/2000

5What change control or notification processes should we follow?

Change advisory board · Advance notification requirements · Maintenance windows

0/2000

Activity B

External Network Penetration Testing

These questions help us size the external assessment and understand what's exposed to the internet.

1How many live external IP addresses or IP ranges are in scope?

Single IPs · CIDR ranges · If unsure, we can help identify these

0/2000

2How many external domains and subdomains should be included?

Primary domains · Subdomains · Any recently acquired domains

0/2000

3What external-facing services and applications are running?

Web apps · Email servers · VPN endpoints · APIs · FTP/SSH · DNS

0/2000

4Are any in-scope systems hosted by third parties or behind CDNs?

Cloudflare · Akamai · AWS CloudFront · Third-party SaaS

0/2000

5Are there any services that require special handling or coordination?

Load-balanced systems · Rate-limited services · Systems shared with other tenants

0/2000

Activity C

Internal Network Penetration Testing

This helps us understand the size and complexity of your internal network so we can scope the right level of effort.

1Approximately how many live internal hosts are in scope?

Best estimate during business hours · Desktops, laptops, servers, network devices, IoT

0/2000

2How many network segments, VLANs, or subnets should be tested?

Number of segments · Any that should be excluded

0/2000

3What testing approach do you prefer?

Black box (no credentials) · Gray box (limited credentials) · White box (admin credentials)

0/2000

4Should testing include network segmentation and firewall rule validation?

ACL testing · VLAN hopping · Cardholder Data Environment (CDE) segmentation

0/2000

5How will our consultant access the internal network?

VPN · On-site with a drop box · Remote access tool · Physical presence required

0/2000

6Approximately how many employees and contractors have network access?

0/1000

7Are there Active Directory or other directory services in use?

Single domain · Multi-domain / forest · Azure AD / Entra ID · LDAP

0/2000

Activity D

Web Application Penetration Testing

We scope web app testing by application count, complexity, and role structure. These details let us estimate effort accurately.

1How many web applications need testing?

Include any that share authentication or backend systems

0/1000

2For each application, what is its primary business purpose and complexity?

Simple brochure site · E-commerce platform · Complex enterprise application · Customer portal

0/2000

3What authentication mechanisms are in place?

Username / password · OAuth / SAML / SSO · Multi-factor authentication · API keys

0/2000

4How many distinct user roles need to be tested?

Unauthenticated · Regular user · Manager / Moderator · Administrator · Will you provide test credentials for each?

0/2000

5Will testing be against production or a staging / test environment?

If staging, is it an accurate representation of production? · Any differences in configuration or data?

0/2000

6What is the technology stack?

Programming languages / frameworks · Web server · Database · Third-party integrations

0/2000

Activity E

Mobile Application Penetration Testing

Mobile app testing varies significantly by platform and architecture. These details help us plan the right approach.

1What platforms are the mobile apps built for?

iOS · Android · Cross-platform (React Native, Flutter, etc.)

0/1000

2How many distinct mobile applications need testing?

0/500

3What is the business purpose of each app?

0/2000

4Can you provide builds with certificate pinning disabled for testing?

0/1000

5Is source code or development builds available for static analysis?

0/1000

6What backend services and APIs does the app communicate with?

REST APIs · GraphQL · WebSockets · Third-party SDKs

0/2000

7What sensitive data does the app handle?

Payment data · PII · Health information · Location data

0/2000

Activity F

API Penetration Testing

API scope depends on endpoint count, complexity, and documentation availability.

1How many distinct APIs are in scope?

0/500

2Approximately how many endpoints exist across all APIs?

Rough count is fine · Read-only vs. read/write split if known

0/1000

3What API architecture is used?

REST · SOAP · GraphQL · gRPC · WebSocket

0/1000

4What authentication and authorization mechanisms protect the APIs?

API keys · OAuth 2.0 / JWT · Mutual TLS · Role-based access

0/2000

5Can you provide API documentation?

OpenAPI / Swagger specs · Postman collections · Developer docs

0/1000

6Is there a sandbox or test environment available for API testing?

0/1000

Activity G

Social Engineering Assessment

Social engineering scope depends on the type of exercise, target audience, and organizational context.

1What types of social engineering exercises are you interested in?

Email phishing · Voice phishing (vishing) · SMS phishing (smishing) · Physical security testing · Pretexting / impersonation

0/2000

2How many employees will be targeted?

Total headcount in scope · Specific departments or roles

0/1000

3Are there any individuals or groups that should be excluded?

Executives · Recent hires · Specific departments

0/1000

4Has your organization conducted security awareness training recently?

Type of training · When it was last conducted · Completion rates if known

0/2000

5What are your current policies for reporting suspicious communications?

Phish alert button · Helpdesk reporting · Incident response procedures

0/2000

6What is the primary goal of this exercise?

Baseline measurement · Training validation · Compliance requirement · Red team realism

0/2000

Activity H

Desktop Application Assessment

Desktop app testing requires specific logistics around software access and platform support.

1How many desktop applications require assessment?

0/500

2Were these applications built in-house or purchased from a third party?

0/1000

3What platforms do the applications support?

Windows · macOS · Linux · Specific OS versions

0/1000

4Can you provide application installers for our testing machines, or do we need to use your devices?

0/1000

5Do these applications require network connectivity or integrate with backend services?

0/1000

6Are there any licensing restrictions or hardware requirements we should know about?

0/1000

Activity I

Security Assessment & Consultation

Assessment engagements involve document review and stakeholder interviews. These details help us plan the timeline.

1What specific areas should the assessment cover?

Policies & procedures · Technical controls · Awareness & training · Incident response · Vendor management · Physical security

0/2000

2What are your primary security concerns or perceived vulnerabilities?

Areas where you feel least confident · Recent incidents or near-misses

0/2000

3Approximately how many policies, procedures, and documents will be provided for review?

0/1000

4How many departments and personnel will need to participate in interviews?

0/1000

5Are there key stakeholders or subject matter experts who should be prioritized?

0/2000

6What are your most critical assets and information that require protection?

0/2000

Activity J

Compliance & Reporting Requirements

Understanding your reporting needs upfront ensures deliverables meet stakeholder expectations.

1What compliance frameworks apply to this assessment?

PCI DSS · HIPAA · SOX · ISO 27001 · NIST CSF · FedRAMP · FISMA · Industry-specific

0/2000

2Do you need findings mapped to specific compliance requirements?

0/1000

3Who is the primary audience for the assessment report?

Technical team · Executive leadership · Board of directors · Auditors · Regulators

0/1000

4Do you require both technical details and an executive summary?

0/1000

5Are there specific report formats or templates you need us to follow?

0/1000

6What is your timeline for deliverables?

Preliminary findings deadline · Final report delivery date · Formal presentation or review meeting needed?

0/2000

7Are there data handling, retention, or destruction requirements for assessment artifacts?

0/2000

General Environment & Defensive Controls

External Network Penetration Testing

Internal Network Penetration Testing

Web Application Penetration Testing

Mobile Application Penetration Testing

API Penetration Testing

Social Engineering Assessment

Desktop Application Assessment

Security Assessment & Consultation

Compliance & Reporting Requirements

Scoping Brief Submitted