Guidelines for Scoping and Negotiating Pen Test Engagements

Here are some guidelines for scoping and negotiating pen test engagements:

• Determine the types of assessments you want to conduct:
• Goal-based or objective-based
• Compliance-based
• Red team
• Clearly define the end goals of the engagement.
• Determine what testing strategy you need to use:
• Black box
• Gray box
• White box
• Determine what types of threat actors you want to emulate, and what their capabilities and intent might encompass.
• Consider recommending that the client organization engage in some threat modeling so that their objectives and expectations can be clearly defined.
• Identify all targets, whether conventional or specialized systems, and the risk tolerance associated with each.
• Be sure to account for existing controls and scenarios.
• Existing organizational policies and security exceptions
• Existing whitelists and/or blacklists
• The use of certificate and public key pinning
• The use of NAC devices and controls
• The need for premerger or supply chain security testing
• Create, maintain, and adhere to a comprehensive schedule.
• Find ways to avoid scope creep; consider including disclaimer language to protect the test team from any adverse events resulting from allowing or denying scope creep.
• Consider using a scoping checklist to gather information that will help shape the boundaries of the engagement.
• Identify each deliverable, including all documents and meetings.