Pre-Engagement & Scoping Initiating a Penetration Test
Initiating a Penetration Test

Before launching any attacks, a successful penetration test requires rigorous pre-engagement planning. This phase establishes the rules, defines the scope, and ensures both the testing team and the client are aligned on objectives, timelines, and legal boundaries.

flowchart TD
    A["Initial Contact"] --> B["Scoping Questionnaire"]
    B --> C["Time & Cost Estimation"]
    C --> D["Contract & NDA"]
    D --> E["Scoping Meeting"]
    E --> F["Validate Targets & 3rd Parties"]
    F --> G["Establish Comm Channels"]

The Pre-Engagement Workflow

Setting up a new engagement involves a structured progression from initial contact to the official start date. Follow these steps to ensure a smooth kickoff.

  1. 1

    Gather initial information

    Send the client a comprehensive questionnaire to understand their environment, compliance needs, and primary business goals. This helps you determine whether they need a full penetration test or if a Vulnerability Assessment (VA) is more appropriate for their current security maturity.

  2. 2

    Estimate time and costs

    Base your time estimates on the complexity of the target, not just a linear cost-per-IP model. Always add a 20% padding to your time estimate to account for unexpected interruptions (e.g., network outages, emergency meetings). If the padding goes unused, provide extra value by walking the security team through exploits or performing deeper analysis.

  3. 3

    Hold the scoping meeting

    Once the NDA and initial contracts are signed, hold a meeting dedicated strictly to defining what will be tested. Keep this meeting focused on scope—save rules of engagement and specific costs for separate discussions. Establish a firm start date and a "drop-dead" end date.

  4. 4

    Validate targets and permissions

    Never assume the client owns every IP or domain they provide. Verify ownership of all target environments, including DNS servers, email servers, and physical hardware.

Handling Scope Creep
If a client requests additional testing outside the original agreement, take it as a compliment—but require a new Statement of Work (SOW) and an hourly rate agreement before proceeding. This protects your time and prevents legal misunderstandings.

Scoping Questionnaires

To accurately estimate the engagement, you need to ask the right questions upfront. Use these categories to build your intake forms based on the type of test requested.

Network & General Questions
  • Why is the test being performed? (e.g., compliance, recent breach, routine audit)

  • When should active testing occur? (Business hours, after hours, weekends)

  • How many internal and external IP addresses are in scope?

  • Are there active defenses in place? (Firewalls, IDS/IPS, Load Balancers)

  • If a system is compromised, should the team attempt to gain root/SYSTEM privileges or perform password cracking?

Web Application Questions
  • How many static vs. dynamic pages are being assessed?

  • Will source code or documentation be provided? (White-box vs. Black-box)

  • Does the client require fuzzing, static analysis, or role-based credentialed testing?

Wireless & Physical Questions
  • Wireless: Are guest networks in scope? What encryption is used? Will you be assessing client-side wireless attacks or rogue access points?

  • Physical: How many locations/floors are in scope? Are there armed guards, silent alarms, or video cameras? Is the use of lock picks or bump keys legally permitted?

Social Engineering Questions
  • Does the client have a target list of emails or phone numbers?

  • Is social engineering approved for gaining unauthorized physical access?

  • Note: Ensure all pretexts (the "story" used to trick users) are approved in writing, as some corporate environments prohibit certain sensitive topics.

Modern infrastructure rarely lives entirely on-premises. You must account for third-party providers and regional laws before sending a single packet.

Legal Ramifications
It is your responsibility to verify the laws of the specific country, province, or state where the target servers reside. For example, EU privacy laws strictly govern how social engineering and data access can be conducted. Do not assume your firm's legal team will catch every regional nuance.

Provider TypeTesting Considerations
Cloud ServicesData from multiple organizations often shares physical hardware. You must obtain explicit permission from the cloud provider and establish a direct security contact with them.
ISPsReview the ISP's terms of service. They may automatically shun or block malicious traffic, which can interfere with your testing.
Web HostingClarify with the client that testing will only target web vulnerabilities, not the underlying infrastructure owned by the hosting provider.
MSSPsManaged Security Service Providers must be notified if their devices are being tested, unless the goal of the engagement is specifically to test the MSSP's incident response time.

Establishing Communication Workflows

Communication can make or break client satisfaction. Establish a clear framework for routine updates and emergency situations.

Emergency Contacts

Create and distribute an emergency contact list to all involved parties. This ensures that if a critical system goes down or a severe vulnerability is found, the right people are notified immediately.

Gather the following for each contact:

  1. Full name and operational title

  2. Authorization level for discussing test details

  3. Two forms of 24/7 contact (e.g., cell phone, pager)

  4. A secure method for bulk data transfer

Incident Reporting

Discuss the organization's incident response (IR) capabilities beforehand. If the internal security team detects your activity, they need to know who to call so they don't wake up executives in the middle of the night for a false alarm. Conversely, if you complete the engagement without being detected, you've identified a major gap in their IR posture.

Secure Communications

Encryption is not optional. Due to the highly sensitive nature of penetration testing data, all critical communications must be secured.

  • Use PGP/GPG for email communications and encrypting the final report. (Remember: email subject lines are still sent in plaintext!)

  • Utilize a secure, encrypted mailbox hosted on the customer's network.

  • Use out-of-band communication, such as secure phone calls, for immediate critical disclosures.

Next Steps: Rules of Engagement

Once the scope is defined, proceed to establishing the Rules of Engagement (RoE) to dictate exactly how the testing will be executed.