Scoping

This component defines what will be tested. Here, the key is in finding a balance between time, cost, and the goals of the business. It's important to note that everything agreed upon during the scope must be clearly documented and all legal implications must be considered. 

During this component, you will ask questions such as the following:

• What is the number of IP address ranges or systems that will be tested?
• Does the penetration test cover physical security, wireless networks, application servers, social engineering, and so on?
• What is off-limits for the penetration test? The business might have mission-critical systems that could lead to loss of revenue if these are affected by the penetration test.
• Will the penetration test be onsite or offsite?
• Are there any third-party servers that are in the scope of the penetration test? 
• Are you performing a white-box, grey-box, or black-box penetration test?

While you work on scoping your penetration test, be very careful of scope creep. Scope creep is any additional work that is not agreed upon during the initial scope. It introduces risks to your penetration test, which can lead to loss of revenue for you, an unsatisfied client, and even legal implications. Scope creep is a trap that you can easily fall into.

Keep in mind the cost of a penetration test when in the scoping phase. Penetration test prices vary depending on what needs to be tested. For example, testing a complex web application will require a lot more time and effort, therefore the cost will be a lot more when compared to a simple network penetration test. The regularity with which you conduct the penetration test is another factor that affects the cost.