Scoping a penetration test is the most important phase of any security testing engagement. A poorly scoped test wastes budget on low-value targets, misses critical assets, or creates operational disruptions that damage the relationship between the organization and the testing firm. A well-scoped test maximizes security value by focusing effort on the highest-risk targets, setting clear boundaries, and defining expectations for both parties.
This guide walks you through every step of the scoping process, from selecting a testing methodology to generating a comprehensive Statement of Work. If you want to quickly estimate the level of effort for your engagement, the Penetration Test Scoping Calculator can help you model different target combinations and generate preliminary effort estimates.
What Is Penetration Test Scoping
Penetration test scoping is the process of defining exactly what will be tested, how it will be tested, when testing will occur, what is explicitly out of bounds, and what deliverables the testing firm will produce. The scoping process typically involves collaboration between the organization's security team, IT operations, legal counsel, and the penetration testing firm.
Why Scoping Matters
A penetration test without proper scoping is like a building inspection without a floor plan. The tester does not know which systems are critical, which are fragile, which contain sensitive data, or which are shared with other customers. Without this context, the tester may spend hours on a low-priority test server while ignoring the payment processing system that handles millions of dollars in transactions.
Poor scoping also creates legal and operational risk. A tester who inadvertently takes down a production database or triggers a fraud alert at a financial institution because the scope was unclear can cause real business damage. The scoping document and rules of engagement exist to prevent these scenarios.
Scoping Inputs
Effective scoping requires gathering information from multiple stakeholders:
- Security team: Threat landscape, previous test results, known vulnerabilities, compliance requirements, and security architecture documentation. If your organization has not recently performed threat modeling, the Threat Modeling Wizard can help you systematically identify attack surfaces and prioritize which assets should be included in the penetration test scope.
- IT operations: Network diagrams, asset inventory, change freeze windows, fragile systems that require special handling, and monitoring/alerting systems that need to be aware of the test.
- Application owners: Application architecture, authentication mechanisms, API documentation, test accounts, and business-critical functionality that must not be disrupted.
- Legal and compliance: Regulatory requirements driving the test, third-party systems that require separate authorization, data handling requirements, and liability provisions.
- Executive sponsor: Budget constraints, risk appetite, business objectives for the test, and how results will be used (board reporting, compliance evidence, insurance, vendor assessment).
Step 1: Select Testing Methodology
The testing methodology defines the structure and rigor of the engagement. Different methodologies emphasize different aspects of security testing, and the right choice depends on your objectives, compliance requirements, and the maturity of your security program.
Methodology Comparison
| Methodology | Focus Area | Best For | Key Deliverables |
|---|---|---|---|
| PTES (Penetration Testing Execution Standard) | Full lifecycle from pre-engagement through reporting | General-purpose penetration testing, organizations wanting a comprehensive framework | Pre-engagement report, intelligence gathering report, threat modeling, vulnerability analysis, exploitation report, post-exploitation report, final report |
| OWASP Testing Guide | Web application security testing | Web applications, APIs, single-page applications, mobile app backends | Vulnerability findings categorized by OWASP Top 10, risk ratings, remediation guidance, retest plan |
| NIST SP 800-115 | Technical security testing for federal systems | Government agencies, FedRAMP assessments, organizations following NIST frameworks | Technical assessment plan, rules of engagement, test results, findings with NIST control mapping |
PTES (Penetration Testing Execution Standard)
PTES defines seven phases of a penetration test: pre-engagement interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting. It is the most comprehensive methodology and is well-suited for engagements that need to cover the full attack lifecycle from reconnaissance through data exfiltration.
PTES is particularly valuable when the organization wants to understand not just what vulnerabilities exist but how an attacker would chain them together to achieve specific objectives such as accessing sensitive data, achieving domain admin, or pivoting from external to internal networks.
OWASP Testing Guide
The OWASP Testing Guide is focused specifically on web application security. It defines a structured approach to testing web applications against the OWASP Top 10 and additional application-specific vulnerability categories. The guide includes detailed testing procedures for each vulnerability type, making it an excellent reference for both testers and organizations evaluating test quality.
Choose OWASP when your primary concern is web application security, when you are testing APIs, or when your compliance requirements specifically reference OWASP (such as PCI DSS Requirement 6.5).
NIST SP 800-115
NIST Special Publication 800-115, "Technical Guide to Information Security Testing and Assessment," provides guidance for federal agencies and organizations that follow NIST frameworks. It covers review techniques (documentation review, log analysis, ruleset review), target identification and analysis, target vulnerability validation, and security assessment planning.
Choose NIST SP 800-115 when you are a federal agency, when you need to map findings to NIST SP 800-53 controls, or when your assessment is part of a FedRAMP authorization process.
Combining Methodologies
In practice, many penetration testing firms combine elements from multiple methodologies. A common approach is to use PTES as the overall engagement framework, OWASP for web application testing components, and NIST SP 800-115 for control mapping and reporting. Discuss methodology preferences with your testing firm during the scoping phase to ensure alignment.
Understanding Different Penetration Test Types
Different types of penetration tests require fundamentally different scoping approaches. Each type targets distinct attack surfaces, uses different tools and techniques, and produces different categories of findings. Understanding these distinctions is essential for selecting the right test type and scoping it correctly.
Web Application Penetration Testing
Web application testing focuses on vulnerabilities in the application layer, including authentication bypass, authorization flaws, injection vulnerabilities, business logic errors, and client-side attacks. This is the most commonly requested test type because web applications are the primary attack surface for most organizations.
Scoping considerations specific to web apps:
- Authentication complexity: Applications with multiple authentication mechanisms (SSO, local accounts, API keys, OAuth) require more testing time to evaluate each path.
- Role-based access: Applications with many user roles (admin, manager, user, read-only, guest) require testing of authorization boundaries between each role pair. An application with 5 roles has 20 potential privilege escalation paths.
- Business logic: Custom business workflows (order processing, approval chains, payment flows) require manual testing because automated scanners cannot understand business intent.
- API surface: Modern web applications often expose REST or GraphQL APIs alongside the web UI. Both must be tested, and the API often has different (sometimes weaker) authorization controls than the UI.
Typical deliverables: OWASP Top 10 coverage matrix, vulnerability findings with proof-of-concept demonstrations, remediation guidance prioritized by risk, and authentication/authorization testing matrix.
Network Penetration Testing
Network testing evaluates the security of network infrastructure including firewalls, routers, switches, servers, and network services. It can be performed externally (from the internet) or internally (from within the corporate network), and each perspective reveals different vulnerabilities.
External network scoping considerations:
- IP range size: The number of public IP addresses directly affects testing time. Each /24 subnet (256 addresses) typically requires 16-40 hours depending on the number of live hosts and services.
- Perimeter devices: Firewalls, load balancers, VPN concentrators, and web application firewalls add complexity because they may filter or modify traffic, requiring the tester to use evasion techniques.
- Cloud infrastructure: Public cloud resources (EC2 instances, Azure VMs, GCP Compute) with public IP addresses should be included in external scope. Cloud-specific misconfigurations (open S3 buckets, exposed metadata endpoints) require specialized testing.
Internal network scoping considerations:
- Starting position: Define where the tester begins. Common starting positions include a standard user workstation, a guest network segment, or a VPN connection with standard user credentials.
- Active Directory: Testing AD security (password policy compliance, Kerberoasting, ASREPRoasting, delegation abuse) is a critical component of internal testing and requires specific scope authorization.
- Segmentation validation: Verify that network segments are properly isolated. The tester should attempt to cross segment boundaries to validate that controls are effective.
- Critical infrastructure exclusions: Explicitly exclude systems that could cause safety issues if disrupted (industrial control systems, medical devices, building management systems) unless the test is specifically designed for those systems.
Social Engineering Testing
Social engineering tests evaluate the human element of security by attempting to manipulate employees into divulging information, granting access, or performing actions that compromise security. These tests require the most detailed scoping of any test type because they involve human targets.
Types of social engineering tests:
| Technique | Description | Scoping Requirements |
|---|---|---|
| Phishing | Sending deceptive emails to trick users into clicking links, entering credentials, or downloading malware | Number of targets, email templates subject to review, landing page design, credential harvesting vs. payload delivery, excluded individuals |
| Vishing | Voice phishing via phone calls to extract information or manipulate actions | Number of calls, call scripts subject to review, recording consent, escalation procedures for distressed targets |
| Physical | Attempting to gain unauthorized physical access to facilities via tailgating, badge cloning, or pretexting | Specific facilities, times of day, techniques permitted, identification to present if confronted, law enforcement notification plan |
| Pretexting | Creating a fabricated scenario to manipulate a target into providing information | Scenario scripts subject to review, impersonation limits (cannot impersonate law enforcement or real individuals without consent) |
Essential social engineering scope elements:
- Target list: Provide a list of eligible targets or define the target population (e.g., all employees in the Finance department). Exclude individuals who cannot consent or who are in sensitive personal situations.
- Technique boundaries: Specify exactly which techniques are permitted. For physical testing, define whether lock picking, badge cloning, or dumpster diving is permitted.
- Escalation procedures: Define what happens if a target becomes distressed, confrontational, or calls security. The tester must be able to de-escalate safely and quickly.
- HR and legal approval: Social engineering tests typically require separate approval from HR and legal departments beyond the standard ROE because they involve employee interactions that could affect workplace trust and morale.
- Debrief plan: Define how tested employees will be informed after the engagement. Best practice is a non-punitive educational debrief that turns the experience into a learning opportunity.
Physical Penetration Testing
Physical penetration testing evaluates the security of physical facilities, access controls, surveillance systems, and security personnel. This test type carries the highest operational risk and requires the most detailed planning.
Scoping considerations:
- Facilities: List each building, floor, and restricted area that is in scope. Include addresses, operating hours, and security personnel schedules.
- Objectives: Define specific objectives such as gaining access to the server room, retrieving a "sensitive document" planted for the test, or photographing a specific asset.
- Permitted techniques: Specify whether the tester may tailgate, pick locks, clone badges, use social engineering against security guards, or plant surveillance devices.
- Safety requirements: The tester must carry authorization documentation at all times and must identify themselves immediately if confronted by armed security or law enforcement.
- Notification: Decide whether security management is aware of the test (informed test) or not (blind test). Blind tests provide more realistic results but carry higher risk of physical confrontation.
Compliance-Driven Testing Requirements
Many organizations conduct penetration tests primarily to satisfy compliance requirements. Each compliance framework has specific testing requirements that must be reflected in the scope.
Compliance Framework Testing Requirements
| Framework | Testing Requirement | Scope Implications |
|---|---|---|
| PCI DSS 4.0 | Requirement 11.4: Annual external and internal penetration testing of the CDE and connected systems; retesting after remediation; segmentation testing every 6 months | Scope must include all CDE systems, connected systems, and segmentation controls. Both network-layer and application-layer testing required. |
| HIPAA | No explicit pentest mandate, but Risk Analysis (45 CFR 164.308(a)(1)) is interpreted to include technical testing | Scope should include all systems processing ePHI. Focus on access controls, encryption, and audit logging. |
| SOC 2 | CC7.1: Detection of unauthorized changes; CC7.2: Monitoring for anomalies | Scope should include testing of detection and monitoring controls in addition to vulnerability assessment. |
| FedRAMP | Moderate and High: Annual third-party assessment including penetration testing per NIST SP 800-53 CA-8 | Scope must cover all system components within the authorization boundary. Testing must be performed by an independent assessor. |
| NIST CSF | PR.IP-12: A vulnerability management plan is developed and implemented | Framework recommends penetration testing as part of vulnerability management but does not mandate specific frequency or scope. |
| ISO 27001 | Clause 12.6.1: Management of technical vulnerabilities | Requires vulnerability assessment; penetration testing is a common implementation choice but not explicitly mandated. |
Compliance-Specific Scoping Tips
When scoping a compliance-driven test, include the following in your SOW:
- Compliance framework reference: Explicitly state which requirement the test satisfies. This helps the auditor or assessor accept the test results.
- Control mapping: Request that findings be mapped to the specific controls of the applicable framework (e.g., PCI DSS Requirement 6.5.1, NIST SP 800-53 AC-6).
- Evidence preservation: Define the evidence format the auditor requires. Some auditors accept a summary report; others require detailed logs, screenshots, and raw scan data.
- Assessor independence: If the compliance framework requires independent testing (FedRAMP, some PCI DSS interpretations), verify that the testing firm meets the independence requirements.
Step 2: Define Targets and Boundaries
Precise target definition is essential. Every system, network, application, and endpoint that is within scope must be explicitly listed, and anything not listed should be considered out of scope.
Target Categories
Organize your targets into categories based on the type of testing they require:
External Network: Internet-facing systems including public IP addresses, DNS records, email gateways, VPN concentrators, and cloud-hosted services. External testing simulates an attacker on the internet with no internal access. List specific IP ranges and hostnames.
Internal Network: Systems accessible from the internal network including servers, workstations, Active Directory infrastructure, internal applications, and network devices. Internal testing simulates an attacker who has gained initial access (through phishing, physical access, or a compromised VPN credential). Define the starting point (which network segment, what level of initial access).
Web Applications: Customer-facing and internal web applications. Each application should be listed individually with its URL, technology stack, authentication mechanism, and any known business logic that requires special testing attention. Specify whether testing should include authenticated and unauthenticated perspectives.
APIs: REST, GraphQL, SOAP, and other API endpoints. Provide API documentation (OpenAPI/Swagger specs), authentication tokens, and rate limiting information. API testing often requires more preparation than web application testing because the tester needs to understand the API contract.
Wireless Networks: Corporate Wi-Fi networks, guest networks, and any wireless infrastructure. Specify physical locations where testing should occur, SSID names, and whether testing should include rogue access point detection.
Social Engineering: Phishing campaigns, vishing (voice phishing), physical intrusion attempts, and pretexting. Social engineering requires the most detailed scoping because it involves human targets. Specify the number of targets, permitted techniques, excluded individuals, and escalation procedures.
Boundary Definition
Equally important to defining what is in scope is defining what is out of scope. Common exclusions include:
- Production databases containing real customer data (test against staging copies instead)
- Third-party SaaS applications that you do not own (require separate authorization from the SaaS provider)
- Systems shared with other tenants in a multi-tenant environment
- Denial-of-service testing against production systems (unless specifically authorized with full operational awareness)
- Physical security testing beyond agreed-upon locations
- Systems in other business units that have not authorized testing
Testing Types
For each target, specify the testing type:
- Black box: The tester receives no information about the target beyond what is publicly available. This simulates an external attacker and tests the organization's external exposure.
- White box: The tester receives full information including source code, architecture diagrams, credentials, and network maps. This is the most thorough approach and the best use of limited testing hours.
- Gray box: The tester receives some information, typically user-level credentials and basic architecture documentation. This simulates an insider threat or an attacker who has compromised a low-privilege account.
White box testing is generally the most cost-effective choice because the tester does not need to spend hours on reconnaissance that you could provide in minutes. The hours saved on reconnaissance can be spent on deeper exploitation and analysis of more targets. The Risk Matrix Calculator can help you prioritize which targets should receive the most testing attention based on their risk profile.
Step 3: Estimate Level of Effort
Effort estimation determines the budget and timeline for the engagement. Underestimating effort leads to superficial testing, while overestimating wastes budget that could be spent on remediation.
Per-Target Hour Estimation
The following table provides typical hour ranges for different target types. Actual hours depend on the complexity of the target, the testing type (black/white/gray box), and the desired depth of testing.
| Target Type | Typical Hours (Range) | Factors That Increase Hours |
|---|---|---|
| External Network (per /24 subnet) | 16-40 hours | Large number of live hosts, complex firewall rules, multiple service types |
| Web Application (per application) | 40-120 hours | Custom authentication, complex business logic, large number of roles, API backend |
| API (per API) | 24-60 hours | Large number of endpoints, complex authorization model, GraphQL with nested queries |
| Internal Network (per segment) | 24-80 hours | Active Directory complexity, multiple forests/trusts, segmentation validation |
| Wireless (per location) | 8-24 hours | Multiple SSIDs, WPA3 Enterprise, rogue AP detection, large physical area |
| Social Engineering (per campaign) | 16-40 hours | Custom pretexts, multiple vectors (phish + vish), physical intrusion, large target list |
| Mobile Application (per platform) | 40-80 hours | Both iOS and Android, custom encryption, certificate pinning, backend API |
| Cloud Infrastructure (per environment) | 40-100 hours | Multi-cloud, complex IAM policies, serverless functions, container orchestration |
Calculating Total Effort
To calculate total effort, list each target, assign an hour estimate based on the table above adjusted for your specific complexity factors, and sum the hours. Then add:
- Project management: 5-10% of total testing hours for project coordination, status meetings, and administrative tasks.
- Reporting: 15-25% of total testing hours for writing the detailed report, creating the executive summary, and preparing the findings presentation.
- Retesting: 10-20% of total testing hours for verifying remediation effectiveness.
A typical midsize engagement with two web applications, one external network assessment, and one internal network assessment might total:
- Web application 1: 80 hours
- Web application 2: 60 hours
- External network: 24 hours
- Internal network: 40 hours
- Subtotal: 204 hours
- Project management (8%): 16 hours
- Reporting (20%): 41 hours
- Retesting (15%): 31 hours
- Total: 292 hours
The Penetration Test Scoping Calculator automates this calculation and lets you adjust complexity factors, testing type (black/white/gray), and methodology requirements to generate a detailed effort estimate with cost projections.
Step 4: Define Rules of Engagement
The Rules of Engagement (ROE) document is the legally binding agreement that authorizes the penetration testing firm to attack your systems. It protects both parties and ensures the test is conducted safely.
Essential ROE Elements
Authorization: Explicit written authorization from an individual with the legal authority to authorize testing against each in-scope system. This is sometimes called the "get-out-of-jail letter" because it protects the testers from criminal liability for accessing systems without authorization (which would otherwise violate laws like the Computer Fraud and Abuse Act).
If any in-scope systems are hosted by third parties (cloud providers, colocation facilities, SaaS platforms), you must obtain separate authorization from those third parties. AWS, Azure, and GCP each have their own penetration testing policies that must be followed.
Testing Window: Define the dates, times, and time zones during which testing is permitted. Consider:
- Business hours vs. after hours (some tests may need to avoid peak usage periods)
- Change freeze windows (no testing during code deployments or maintenance windows)
- Time zone differences if the testing firm is in a different region
- Holiday periods when staff availability for incident response may be reduced
Communication Plan: Define how the testing firm will communicate with the organization during the engagement:
- Primary contacts: Names, phone numbers, and email addresses for the security team, IT operations, and executive sponsor.
- Emergency contacts: After-hours contacts in case a critical issue is discovered or an operational disruption occurs.
- Status reporting: Frequency and format of progress updates (daily email, weekly call, real-time Slack channel).
- Critical finding notification: How and when the testing firm should report critical vulnerabilities discovered during testing. Best practice is immediate notification (within 1-4 hours) for any finding that poses an imminent threat.
Permitted Techniques: Explicitly list which attack techniques are permitted and which are prohibited:
- Network scanning and enumeration: typically permitted
- Exploitation of discovered vulnerabilities: typically permitted
- Denial-of-service attacks: typically prohibited against production, may be permitted against isolated test environments
- Social engineering: only if explicitly authorized with defined boundaries
- Physical intrusion: only if explicitly authorized with defined boundaries
- Data exfiltration: typically permitted for proof of concept but actual sensitive data must not leave the organization's control
- Malware deployment: typically prohibited (testers use custom tools, not actual malware)
- Account lockout: define the policy (testers should avoid locking out real accounts)
Data Handling: Define how the testing firm will handle any sensitive data encountered during the test:
- Data must be encrypted at rest and in transit
- Sensitive data (PII, PHI, payment data) must not be extracted from the environment
- All test data and artifacts must be securely destroyed within a specified period after the engagement (typically 30-90 days)
- The testing firm must notify the organization immediately if regulated data is inadvertently accessed
Legal Review
Have your legal counsel review the Rules of Engagement before signing. Key legal considerations include:
- Limitation of liability for unintended operational disruptions during authorized testing
- Indemnification provisions
- Insurance requirements (the testing firm should carry professional liability and cyber liability insurance)
- Non-disclosure agreements covering all findings and organizational data
- Compliance with applicable laws and regulations in all relevant jurisdictions
Step 5: Generate the Statement of Work
The Statement of Work (SOW) is the formal contract document that incorporates all scoping decisions into a binding agreement. A well-structured SOW prevents scope creep, manages expectations, and provides a clear reference when questions arise during the engagement.
SOW Structure
A comprehensive penetration testing SOW includes the following sections:
1. Engagement Overview: Brief description of the engagement, including the business objective (compliance, security improvement, vendor assessment), the overall approach, and the testing methodology.
2. Scope Definition: Complete list of in-scope targets with IP addresses, URLs, application names, and network segments. List of explicitly out-of-scope systems. Testing type (black/white/gray box) for each target.
3. Timeline: Start date, end date, testing windows, milestone dates for interim deliverables, and the date for final report delivery.
4. Deliverables: Detailed description of each deliverable:
- Executive summary report (audience: leadership, 2-5 pages)
- Technical findings report (audience: security and IT teams, detailed vulnerability descriptions with evidence, risk ratings, and remediation guidance)
- Raw scan data and tool output (if requested)
- Findings presentation (live walkthrough with Q&A)
- Retest report (after remediation)
5. Team Composition: Names and qualifications of the testing team members. Include relevant certifications (OSCP, OSCE, GPEN, GXPN, CEH) and experience levels.
6. Effort Estimate: Hours by target category, blended or individual hourly rates, total cost, and payment schedule.
7. Rules of Engagement: Incorporated by reference or included as an appendix.
8. Assumptions and Dependencies: What the organization must provide (test accounts, VPN access, documentation, contact availability) and what happens if those dependencies are not met (schedule slippage, additional cost).
9. Change Management: Process for handling scope changes during the engagement. Additional targets discovered during testing should require written approval before testing.
SOW Review Checklist
Before signing the SOW, verify:
- Every in-scope target is explicitly listed with sufficient detail for the tester to identify it
- All exclusions are clearly stated
- The effort estimate is reasonable for the scope (use the Penetration Test Scoping Calculator as a sanity check)
- Retesting is included as a line item
- The report delivery date allows enough time for thorough analysis
- Emergency notification procedures are defined for critical findings
- Data handling and destruction requirements are specified
- Insurance and liability provisions are acceptable to both parties
After the Test
Scoping does not end when the SOW is signed. Throughout the engagement and after it concludes, several scoping-related activities ensure you get maximum value from the investment.
During the Engagement
Hold a kickoff meeting on day one to confirm scope, verify access, test communication channels, and answer any remaining questions from the testing team. Monitor the engagement through agreed-upon status reports and be responsive to tester questions, as delays in providing information directly reduce the testing time available.
If the tester discovers systems or applications that were not included in the original scope but appear to be high risk, follow the change management process defined in the SOW. Do not allow informal scope expansion, which can lead to billing disputes and incomplete testing.
Receiving the Report
Schedule a findings presentation where the testing team walks through their results. This is more valuable than reading the report alone because you can ask questions, understand the attack narrative, and discuss remediation priorities in real time.
Review the findings for accuracy. Occasionally, testers may misunderstand a system's purpose or categorize a finding at the wrong risk level. Provide feedback to the testing firm so the final report is accurate.
Remediation and Retesting
Prioritize remediation based on the risk ratings and the exploitability of each finding. Critical and high-severity findings that are easily exploitable should be fixed immediately. Medium and low findings should be tracked in your vulnerability management system and addressed according to your patch management SLA.
Once remediation is complete, schedule the retest. Provide the tester with a list of remediated findings and any relevant details about the fixes. The retest should verify that each fix is effective, has not introduced new vulnerabilities, and that the attack paths identified in the original test are no longer viable.
Lessons Learned
After the retest, conduct a lessons-learned review. Discuss what the test revealed about your security posture, whether the scope was appropriate (were critical systems inadvertently excluded?), and how the scoping process could be improved for the next engagement. Use these insights to refine your scope for future tests.
Most organizations should conduct penetration tests at least annually, with additional tests after significant infrastructure changes, major application releases, or security incidents. Each subsequent engagement should build on the findings and lessons of previous tests, progressively improving the organization's security posture.
Communication Plans During Testing
Effective communication during a penetration test engagement prevents operational disruptions, ensures rapid response to critical findings, and maintains trust between the organization and the testing firm. Establish the communication plan during scoping and document it in the ROE.
Communication Structure
Define the following communication channels before testing begins:
| Channel | Purpose | Participants | Frequency |
|---|---|---|---|
| Kickoff meeting | Confirm scope, verify access, distribute emergency contacts | Security team, IT ops, testing team, executive sponsor | Once (day one) |
| Daily status email | Brief progress update, targets tested, issues encountered | Testing team lead, security team lead | Daily during active testing |
| Critical finding hotline | Immediate notification of critical/high-severity vulnerabilities | Testing team lead, security team lead, CISO (if applicable) | As needed (within 1-4 hours of discovery) |
| Weekly progress call | Detailed progress review, scope clarification, schedule adjustments | Full testing team, security team, IT ops representative | Weekly (for engagements >2 weeks) |
| Incident escalation | Notification if testing causes unintended operational impact | Testing team lead, IT ops lead, executive sponsor | As needed (immediate) |
| Closeout meeting | Review preliminary findings, discuss report timeline, schedule debrief | All stakeholders from kickoff | Once (final day) |
Critical Finding Protocol
Define the critical finding notification protocol before testing begins:
-
Classification criteria: Define what constitutes a "critical" finding requiring immediate notification. Common criteria include: active exploitation by a third party discovered during testing, unauthenticated remote code execution, exposed credentials for privileged accounts, sensitive data (PII, PHI, payment data) accessible without authentication, and any finding that indicates an active compromise.
-
Notification timeline: Best practice is notification within 1-4 hours of confirming the finding. The tester should verify the finding is genuine (not a false positive) before sending the notification.
-
Notification method: Phone call followed by encrypted email. Do not rely solely on email for critical findings because it may not be read immediately.
-
Response expectation: Define whether the organization expects to remediate critical findings during the engagement (which may affect testing) or after the engagement concludes. If remediation occurs during testing, the tester should retest the fix before the engagement ends.
Deconfliction with Security Operations
If your organization has a Security Operations Center (SOC) or uses a managed security service provider (MSSP), coordinate with them before testing begins:
- Notify the SOC: Inform the SOC of the testing window, source IP addresses of the testing team, and the types of activities that will occur. This prevents false incident investigations that waste SOC analyst time.
- Do not whitelist tester IPs in detection tools: If the goal is to validate detection and response capabilities, allow the SOC to detect and respond to the testing activities as if they were real attacks. Deconflict after detection, not before.
- Track SOC detection metrics: Use the penetration test as a purple team exercise by tracking which testing activities the SOC detected and which it missed. This provides valuable data on detection gap analysis.
Retesting and Remediation Verification
Retesting is the step that transforms a penetration test from a point-in-time assessment into an actionable security improvement. Without retesting, you have no verification that vulnerabilities were actually fixed.
Structuring the Retest
Timeline: Schedule the retest 30-90 days after receiving the original report. This provides enough time for remediation without allowing the findings to become stale. For compliance-driven tests, verify that the retest timeline satisfies the compliance framework's requirements.
Scope: The retest scope includes all findings from the original test that were classified as critical, high, or medium severity. Low-severity and informational findings may be excluded from formal retesting to reduce cost, but they should still be tracked in the vulnerability management system.
Methodology: For each finding, the tester re-executes the original attack steps against the remediated system. The tester verifies three things:
- The specific vulnerability is fixed: The original exploit no longer works.
- The fix does not introduce new vulnerabilities: The patch or configuration change has not created a new attack vector (e.g., a firewall rule that blocks one attack but opens another port).
- The fix is complete: The vulnerability is not partially remediated (e.g., fixed in one application instance but not in another, or fixed for one user role but not another).
Retest Report Structure
The retest report should be concise and focused:
| Section | Contents |
|---|---|
| Findings summary | Table listing each original finding, its original severity, remediation status (fixed, partially fixed, not fixed, new issue), and retest evidence |
| Fixed findings | Brief confirmation of each finding that was successfully remediated |
| Unfixed findings | Detailed description of findings that remain, with updated risk assessment and remediation priority |
| New findings | Any new vulnerabilities discovered during retesting, with full description and remediation guidance |
| Recommendations | Suggestions for systemic improvements based on patterns observed across findings and remediation quality |
Remediation Quality Patterns
Over multiple engagements, patterns in remediation quality often emerge. Track these patterns to improve your remediation process:
- Incomplete remediation: The vulnerability is fixed in one location but exists in similar code elsewhere. This indicates a lack of systematic code review. Address by implementing centralized security libraries and automated scanning.
- Regression: A previously fixed vulnerability reappears in a subsequent test. This indicates insufficient regression testing. Address by adding security test cases to your CI/CD pipeline.
- Workaround instead of fix: The specific exploit is blocked, but the underlying vulnerability remains. For example, blocking a specific SQL injection payload rather than implementing parameterized queries. Insist on root-cause fixes, not pattern-based blocks.
- Compensating control instead of fix: A WAF rule is added instead of fixing the application vulnerability. While compensating controls are valid in the short term, they should not replace proper remediation. Track compensating controls separately and ensure they are reviewed regularly.
Building a Multi-Year Testing Program
Mature organizations treat penetration testing as an ongoing program rather than a one-time event. A multi-year testing program progressively deepens coverage and improves security posture.
Annual Testing Calendar
| Quarter | Activity | Focus |
|---|---|---|
| Q1 | External network and web application penetration test | Highest-risk internet-facing assets |
| Q2 | Internal network penetration test | Active Directory, network segmentation, lateral movement |
| Q3 | Social engineering assessment + retesting of Q1 findings | Human attack surface, remediation verification |
| Q4 | Specialized testing (cloud, mobile, IoT, physical) + retesting of Q2 findings | Emerging attack surfaces, remediation verification |
Year-Over-Year Improvement Tracking
Track the following metrics across annual engagements to measure program effectiveness:
- Total findings by severity: Are critical and high findings decreasing year over year?
- Remediation rate: What percentage of findings are fixed before the next annual test?
- Time to remediate: Is the average time from finding to fix decreasing?
- New vs. recurring findings: Are the same vulnerabilities reappearing, or are findings genuinely new?
- Scope expansion: Are you testing more systems each year, or is the scope static?
Use the Penetration Test Scoping Calculator to model multi-year testing programs and estimate the cumulative effort and budget required as your scope expands.
Vendor Selection Criteria
When selecting a penetration testing firm, evaluate the following criteria to ensure quality results:
| Criterion | What to Look For | Red Flags |
|---|---|---|
| Certifications | Team members hold OSCP, OSCE, GPEN, GXPN, CREST, or equivalent | No certified testers on the proposed team; certifications only at the company level |
| Methodology | Follows a recognized methodology (PTES, OWASP, NIST 800-115) with customization for your environment | "Proprietary methodology" with no documented framework; reliance solely on automated scanning |
| Reporting quality | Reports include proof-of-concept demonstrations, risk-rated findings, and actionable remediation guidance | Reports that list tool output without analysis; findings without evidence or context |
| Communication | Responsive during the engagement with clear escalation procedures | Tester is unreachable during testing; no daily status updates |
| Insurance | Professional liability and cyber liability insurance with adequate coverage limits | No insurance or inadequate coverage for the scope of testing |
| References | Can provide references from organizations of similar size, industry, and complexity | No references available; unwilling to discuss prior engagements (even generically) |
| Retesting inclusion | Retesting is included or available as a defined line item | Retesting requires a separate engagement at full rate |
A good testing firm will ask you as many questions during the scoping process as you ask them. If the firm is ready to propose a fixed-price engagement without understanding your environment, they are likely planning a superficial test.