Planning and Scoping

You just landed your first consulting engagement. A mid-sized e-commerce company, BrightCart, has been in the news for all the wrong reasons: they suffered a data breach last quarter, and BrightCart's board is now asking a pointed question. "Could the same thing happen to us again?" They have firewalls, an antivirus solution, and a password policy in place. But are those measures actually working? The board wants proof, and that is where you come in.

Securing a company is not a one-time event; it is a continuous process of building defenses and testing them. In the analog world, you do not simply install a lock on your bicycle and unquestioningly trust it. You tug on it. You try to pick it. You act like a thief to verify that the lock does its job. The digital world follows the same logic, except the "lock" is a combination of security policies, firewalls, intrusion detection systems, and access controls, and the "thief" is a skilled professional hired to test them.

The challenge is that testing the security of computer systems is far more complex than tugging on a bicycle lock. A company's attack surface can span web applications, internal networks, cloud infrastructure, APIs, and mobile apps. Each of these requires specialized skills and tools to evaluate properly. For this reason, organizations rely on penetration testers, authorized professionals who simulate real cyber attacks to find vulnerabilities before malicious actors do.

The keyword in that definition is authorized. Without explicit, documented authorization from the client organization, a penetration test is indistinguishable from a criminal attack. As we will see throughout this room, the planning, scoping, and legal groundwork that happen before a single packet is sent are what separate a professional engagement from an illegal intrusion.

Prerequisites

This room builds on concepts introduced in the Guided Pentest: Infrastructure and Dive Into Pentesting rooms. You should be comfortable with the general idea of what a penetration test looks like from end to end before diving into the planning and scoping details covered here.

Learning Objectives

• Explain what a penetration test is and how it differs from a vulnerability assessment
• Distinguish between known environment, partially-known environment, and unknown environment approaches
• Define the scope of a penetration test and identify the risks of scoping errors
• Identify the legal documents and authorizations required before testing begins
• Describe the key components of a Rules of Engagement document
• Recognize the major regulatory frameworks that mandate or recommend penetration testing
• Apply planning and scoping concepts to a realistic client scenario