The scope of a penetration test (also known as the scope of work) defines what will be tested, including which systems, applications, networks, or physical locations are in scope, what testing methods are authorised, and critically anything that should be explicitly excluded from testing.
A well-defined scope ensures that testers focus their efforts on the assets that are most important to the organisation whilst avoiding disruption to critical systems or limiting access to out-of-scope resources. A pentest scope typically includes specific IP address ranges, domain names, application URLs, user accounts for testing, or any special conditions such as timeframes for testing windows, rate limiting requirements, or prohibited activities.
Proper scoping is crucial for both effective testing and risk management. Too narrow a scope may miss critical vulnerabilities in adjacent systems or fail to test realistic attack paths that cross system boundaries. An overly broad scope can dilute testing efforts, making the assessment superficial rather than thorough.
The scoping process typically involves the planning and collaboration between the organisation’s technical teams and the penetration testing provider to understand business priorities, identify critical assets, assess potential risks of testing, and establish clear rules of engagement.
Changes to the scope during testing (such as discovering unexpected systems or needing to expand testing to follow an attack path) should be documented and approved through a formal change control process and given clear authorisation to the pentest provider to ensure clear accountability and authorisation.