- **Objective**: Understand what the client aims to achieve with the penetration test.
- **Key Questions**:
- What are the key assets you're concerned about?
- What types of attacks or threats are you most concerned with?
- Do you have any compliance requirements (e.g., PCI-DSS, HIPAA)?
#### Documentation Review
- **Objective**: Review existing documentation to understand the network topology, application architecture, and other relevant details.
- **Key Deliverables**:
- Network diagrams
- Application architecture diagrams
- Previous vulnerability assessments or pen test reports
#### Legal and Compliance Checks
- **Objective**: Ensure that all legal requirements are met and permissions are granted.
- **Key Deliverables**:
- Signed contract
- Non-disclosure agreement (NDA)
- Permission to test forms
### Scoping Phase
#### Define Scope
- **Objective**: Clearly outline what is in-scope and out-of-scope.
- **Key Deliverables**:
- List of target IP addresses
- List of target applications
- User roles for testing authenticated areas
#### Determine Timeframe
- **Objective**: Decide the duration of the test.
- **Key Questions**:
- When will the test start and end?
- Are there any blackout periods during which testing should not occur?
#### Resource Allocation
- **Objective**: Decide who will perform the test and what tools will be used.
- **Key Deliverables**:
- Names and credentials of the penetration testers
- List of tools that will be used
#### Success Criteria
- **Objective**: Define what will constitute a successful test.
- **Key Deliverables**:
- Expected outcomes
- Metrics for success (e.g., percentage of high-risk vulnerabilities identified)
#### Finalize Plan
- **Objective**: Consolidate all the above information into a formal test plan.
- **Key Deliverables**:
- Penetration Test Plan document
- Client approval on the plan
By spending ample time on planning and scoping, you're laying a solid foundation for a successful penetration test. This ensures that both the client and the testing team have clear expectations and guidelines, reducing the likelihood of misunderstandings or scope creep.