How to define the scope of a pentest

Before you define the pentest’s scope, however, you absolutely need a complete inventory of your IT assets. This is also an opportunity to analyse your network’s architecture to identify the most sensitive areas and potential access points for hackers. Understanding the specific objectives you are trying to reach is essential.

To help you set out your objectives, ask yourself the following: what should we test as a priority, the security of our web apps or our internal systems? What are the prerequisites to meet security standards? By clearly identifying your objectives, you can focus your efforts on the most critical and vulnerable parts of the infrastructure.

Identify the assets you want to test

Once you have set your objectives, you can then identify the assets to be included in the pentest’s scope. These can include servers, databases, applications, networks and IoT systems. By clearly identifying the assets to be tested, resources can be focused on the infrastructure’s most critical elements.

Analyse risks and constraints

To establish the optimal pentest scope, you need to analyse the risks that weigh on your organisation. This entails assessing potential threats while accounting for common vulnerabilities and recent attacks.

In other words, you must identify the most critical, high-priority assets according to their value and potential impact on activity. You must also consider the legal, regulatory and contractual constraints that can limit the pentest’s scope or guide the tests. A detailed analysis of the risks and constraints can help you target the most sensitive areas and optimise resources.

Set the pentest’s limits and needs

You must also define what will be excluded from the pentest’s scope. These can be assets, specific attacks to be avoided such as denial-of-service attacks, or constraints to take into consideration during the test.

You must also define the pentest’s needs, such as standards requirements. Does the target have to meet any specific requirements, such as GDPR or Payment Card Industry Security Standards? All this needs to be written down to clarify the scope and avoid budget overruns and misunderstandings with testers.

Pitfalls to avoid when defining your scope

When you define a scope, you may tempted to only protect a new asset or a change to an application, for example. However, to be relevant, a pentest must focus on a critical aspect of an organisation and not just on some recent component.

Also, the scope should not be too small. It is counter-productive to test a single API call, for example. An API call is a request sent to an API to obtain information or perform a specific action. These allow different applications to work together and share data. So, for APIs, you should consider the API as a whole, especially if it is exposed externally.

The organisational context remains key to establishing a scope. In other words, the main issue is to protect what is most critical. There is no point in checking how secure your windows are if you leave the door wide open. This is where a complete asset inventory comes in. Obtaining a global but detailed view of the organisation is the goal.

Work with security experts

You should work with IT security experts to ensure that you perform a relevant high-quality pentest. Security professionals have the necessary skills and experience to support your organisation in establishing a solid scope that accounts for best practices and the latest developments in cybercrime. By working with experts, you gain the benefit of their experience to maximise your pentest’s results and receive valuable recommendations to boost your organisation’s security.

Constant, smooth communications between teams is an invaluable asset throughout the pentest process. The team ordering the test should ask all the questions they need to see that the scope meets the organisation’s objectives. The security experts will do everything they can on their side to make the issues easy to understand and confidently support their client.