Pentest Planning and Scoping

Rules of Engagement

The rules of engagement document specifies the conditions under which the security penetration testing engagement will be conducted.

Rule of Engagement Element

Example

Testing Timeline

Three weeks, as specified in a Gantt chart

Location of testing

Company’s headquarters / Remote

Time window of the testing

9:00 AM to 5:00 PM EST

Preferred method of communication

Final report and weekly status update meetings

The security controls that could potentially detect or prevent testing

Intrusion Prevention Systems (IPS), Firewalls, Data Loss Prevention (DLP) Systems

IP addresses or networks from which testing will originate

10.10.1.0/24, 192.168.66.66, 10.20.15.123

Types of allowed or disallowed tests

Testing only web applications (app1.secretcorp.org and app2.secretcorp.org).

No social engineering attacks are allowed.

No SQL injections attacks are allowed in the production environment. SQL injection is only allowed in the development and staging environments at: app1-dev.secretcorp.org, app1-stage.secretcorp.org

Target List and In-Scope Assets

Identify and document all systems, applications, and networks that will be tested.
Scoping Technical Assets
- IP address
- DNS / FQDNs
- SSIDs
- Applications
- APIs

Communication

What is the contact information for all relevant stakeholders?
How will you communicate with the stakeholders?
How often do you need to interact with the stakeholders?
Who are the individuals you can contact at any time if an emergency arises?

PreviousExternal Pentest Checklist NextPassive Reconnaissance

Last updated 7 months ago