Penetration Testing Assessment: Complete Scoping Guide

Penetration testing assessment success depends on thorough scoping, clear Rules of Engagement, and structured methodologies. Improperly scoped engagements miss critical systems, overspend on unnecessary testing, or create production outages damaging business operations. Professional assessments follow recognized frameworks including PTES, OWASP Testing Guide, OSSTMM, and NIST SP 800-115 ensuring comprehensive coverage, consistent quality, and compliance with industry standards.

This comprehensive guide explains penetration testing assessment planning including pre-engagement questionnaires, scoping decisions, Rules of Engagement, testing methodologies, report structure and interpretation, vendor selection criteria, cost benchmarking, and red flags helping organizations procure high-quality security testing achieving security objectives within budget constraints.

Pre-Engagement Assessment Questionnaire

Professional penetration testing begins with detailed discovery:

Organizational Information

• Industry: Financial, healthcare, retail, manufacturing, technology (affects compliance requirements)
• Company Size: Employee count, revenue, geographic presence
• Compliance Requirements: PCI DSS, HIPAA, SOC 2, ISO 27001, NIST, CMMC
• Testing History: Previous penetration tests, findings, remediation status
• Recent Changes: New applications, infrastructure changes, cloud migrations
• Known Concerns: Specific systems or vulnerabilities worrying stakeholders

Technical Environment

• Network Infrastructure: On-premises, cloud (AWS/Azure/GCP), hybrid
• Asset Inventory: Server count, workstation count, network devices
• Operating Systems: Windows, Linux, macOS distributions and versions
• Applications: Web applications, APIs, mobile apps, desktop software
• Authentication Systems: Active Directory, SSO, MFA implementation
• Security Controls: Firewall, IDS/IPS, EDR, SIEM, WAF
• Remote Access: VPN, RDP, SSH exposure

Testing Objectives

• Primary Goal: Compliance validation, pre-deployment testing, post-breach validation, annual assessment
• Target Systems: Specific applications, entire network, cloud infrastructure
• Attack Scenarios: External attacker, insider threat, specific threat actor simulation
• Depth of Testing: Surface-level scan vs comprehensive exploitation vs post-exploitation

Assessment Frameworks and Methodologies

PTES (Penetration Testing Execution Standard)

Overview: Most widely adopted penetration testing methodology providing standardized approach

Seven Phases:

1. Pre-engagement Interactions: Scoping, legal agreements, communication protocols
2. Intelligence Gathering: OSINT, DNS enumeration, subdomain discovery
3. Threat Modeling: Attack path identification and prioritization
4. Vulnerability Analysis: Automated scanning and manual verification
5. Exploitation: Validate vulnerabilities through exploitation
6. Post-Exploitation: Lateral movement, privilege escalation, data access
7. Reporting: Technical and executive documentation

Best For: Comprehensive network penetration testing

OWASP Testing Guide

Overview: Comprehensive framework specifically for web application security testing

Testing Categories:

• Information gathering and configuration management
• Identity management and authentication
• Authorization testing
• Session management
• Input validation (SQL injection, XSS, XXE)
• Error handling and logging
• Cryptography verification
• Business logic testing
• Client-side security
• API security

Best For: Web applications, APIs, SaaS platforms

OSSTMM (Open Source Security Testing Methodology Manual)

Overview: Scientific methodology focusing on measurable security testing

Channels Tested:

• Human (social engineering)
• Physical (facility security)
• Wireless (WiFi, Bluetooth)
• Telecommunications (VoIP, PBX)
• Data networks (traditional networking)

Best For: Comprehensive assessments requiring physical and social engineering testing

NIST SP 800-115

Overview: Federal government framework for security testing

Four Phases:

1. Planning (objectives, scope, resources, legal)
2. Discovery (network reconnaissance, vulnerability identification)
3. Attack (exploitation, password attacks, social engineering)
4. Reporting (findings, business impact, recommendations)

Best For: Government contractors, organizations requiring NIST compliance

Scoping the Assessment

What to Include

External Perimeter:

• All public-facing IP addresses and domains
• Web applications and APIs
• Mail servers and email infrastructure
• VPN endpoints
• DNS servers
• Cloud infrastructure (AWS, Azure, GCP)

Internal Network:

• Internal IP ranges (specify VLANs if segmented)
• Active Directory and domain controllers
• Database servers
• Critical application servers
• Network devices (routers, switches, firewalls)
• Workstations (representative sample if thousands)

Applications:

• Production web applications
• Mobile applications (iOS, Android)
• Desktop applications
• APIs (REST, SOAP, GraphQL)

What to Exclude

Common Exclusions:

• Production databases (read-only access only)
• Payment processing systems (PCI restrictions)
• Medical devices (patient safety concerns)
• Systems scheduled for decommission
• Third-party hosted services (require separate authorization)
• Denial-of-service attacks (unless specifically authorized)

Scope Creep Prevention:

• Document exact IP ranges (203.0.113.0/24 vs vague "external network")
• Specify included domains (app.company.com included, partner.company.com excluded)
• List excluded systems explicitly preventing accidental testing
• Define testing boundaries for cloud resources (specific VPCs, resource groups)

Rules of Engagement (RoE)

RoE document defines testing boundaries, procedures, and communication protocols:

Essential RoE Components

Legal Authorization:

• Written permission signed by authorized representative (CEO, CIO, CISO)
• Explicit systems, IP ranges, domains authorized for testing
• Testing techniques authorized (exploitation, social engineering, physical)
• Legal indemnification protecting testers acting within scope

Testing Windows:

• 24/7 Testing: External systems typically allow anytime testing
• Business Hours Only: Internal testing restricted to 8 AM - 6 PM weekdays
• Maintenance Windows: Intrusive tests during scheduled maintenance
• Blackout Periods: No testing during peak business (month-end for financial, holidays for retail)

Communication Protocols:

• Daily Status Updates: Email or Slack channel
• Critical Findings: Immediate notification (within 1 hour) via phone/text
• Emergency Contacts: 24/7 contact list if testing causes issues
• Secure Communication: Encrypted channels for sensitive findings

Testing Limitations:

• Maximum scan rate (packets per second) preventing network saturation
• No denial-of-service attacks unless authorized
• No data destruction or modification
• No social engineering beyond defined parameters
• Immediate cessation if unintended impact observed

Data Handling:

• No accessing, copying, or exfiltrating actual customer data
• Secure storage of engagement data (screenshots, reports, credentials)
• Data destruction timeline post-engagement (typically 90 days)
• NDA covering all findings and discoveries

Cost and Timeline Benchmarking

External Penetration Testing

• Small Scope: 1-10 IP addresses, 1-2 web apps: $5,000-$10,000, 3-5 days
• Medium Scope: 10-50 IPs, 3-5 web apps: $10,000-$20,000, 5-7 days
• Large Scope: 50-200 IPs, 5-10 web apps: $20,000-$40,000, 10-15 days

Internal Penetration Testing

• Small Network: Single location, <100 hosts: $8,000-$15,000, 5-7 days
• Medium Network: 2-5 locations, 100-500 hosts: $15,000-$30,000, 7-10 days
• Large Network: 5+ locations, 500-2,000+ hosts: $30,000-$60,000, 10-15 days

Web Application Testing

• Basic Web App: 5-10 pages, simple functionality: $4,000-$8,000, 3-5 days
• Complex Web App: 50+ pages, authentication, database: $8,000-$18,000, 5-10 days
• Enterprise Application: Multi-role, complex business logic: $18,000-$35,000, 10-15 days

Specialized Testing

• Wireless Assessment: $5,000-$12,000, 2-4 days
• Social Engineering: $3,000-$8,000, 1-3 days
• Physical Penetration: $6,000-$15,000, 2-5 days
• Cloud Security Review: $10,000-$25,000, 5-8 days

Total Engagement Timeline:

• Testing: 5-15 business days (depending on scope)
• Reporting: 5-7 business days
• Debrief Presentation: 1-2 days
• Total: 3-4 weeks from kickoff to final report

Interpreting Penetration Test Reports

Report Structure

1. Executive Summary (For C-Suite and Board):

• Overall security posture rating (weak, moderate, strong)
• Critical findings count and business impact
• Attack scenario summary (external compromise, internal lateral movement, data access)
• High-level recommendations with business context
• Comparison to previous assessments if available

2. Methodology and Scope:

• Testing framework used (PTES, OWASP, NIST)
• In-scope and out-of-scope systems
• Testing dates and duration
• Tools and techniques employed
• Testing limitations and constraints

3. Technical Findings:

• Finding title and unique identifier
• CVSS score and severity rating
• Affected systems and services
• Detailed vulnerability description
• Proof-of-concept demonstrating exploitability
• Business impact assessment
• Remediation recommendations with specific technical steps
• CVE references and external resources

4. Attack Narratives:

• Step-by-step description of successful attack chains
• Initial access method
• Lateral movement path
• Privilege escalation techniques
• Critical data or systems accessed
• Screenshots and evidence

5. Remediation Roadmap:

• Prioritized action items (critical → high → medium → low)
• Quick wins (configuration changes deployable immediately)
• Short-term fixes (patching, 1-30 days)
• Long-term improvements (architecture changes, 30-90 days)
• Estimated effort and resource requirements

Understanding Finding Severity

Critical Findings (CVSS 9.0-10.0):

• Remote code execution on internet-facing systems
• Complete authentication bypass
• SQL injection with data access
• Domain administrator compromise

Action Required: Emergency patching within 24-48 hours

High Findings (CVSS 7.0-8.9):

• Privilege escalation vulnerabilities
• Information disclosure exposing credentials
• Cross-site scripting allowing session hijacking
• Weak encryption or authentication

Action Required: Remediate within 7-14 days

Medium Findings (CVSS 4.0-6.9):

• Information disclosure (non-sensitive)
• Expired SSL certificates
• Missing security headers
• Verbose error messages

Action Required: Remediate within 30-60 days

Low Findings (CVSS 0.1-3.9):

• Banner disclosure (version information)
• Best practice recommendations
• Informational findings

Action Required: Next maintenance window or 90 days

Selecting Penetration Testing Vendor

Qualification Verification

Required Certifications (Verify Actual Testing Team):

• OSCP (Offensive Security Certified Professional): Industry gold standard, hands-on 24-hour exam
• GPEN (GIAC Penetration Tester): Comprehensive methodology certification
• GWAPT (GIAC Web Application Penetration Tester): For web app testing
• CEH (Certified Ethical Hacker): Entry-level, acceptable combined with experience

Warning: Verify certifications are held by actual testers performing your engagement, not just company leadership. Request tester resumes and certification verification.

Experience Requirements:

• 5+ years penetration testing experience
• Industry-specific experience (financial, healthcare, your vertical)
• References from similar-sized organizations
• Published security research or CVE discoveries (demonstrates expertise)

Evaluation Criteria

Methodology:

• Follow recognized framework (PTES, OWASP, NIST)
• Manual testing supplementing automated scanning
• False positive elimination process
• Detailed documentation approach

Deliverables:

• Technical report with detailed findings
• Executive summary for non-technical stakeholders
• Proof-of-concept screenshots and evidence
• Remediation guidance with specific technical steps
• Raw scanner output if requested

Post-Engagement Support:

• Remediation validation testing (retest after fixes applied)
• Technical support answering remediation questions
• Debrief presentation to stakeholders
• Availability for audit support if compliance-driven

Red Flags in Vendor Selection

Pricing Red Flags:

• Significantly Lowest Bid: Sub-$5,000 quotes for network penetration tests indicate automated-only testing
• Per-Hour Pricing: Creates incentive to extend engagement unnecessarily
• Fixed Price Without Scoping: Impossible to accurately price without understanding scope

Qualification Red Flags:

• No certified testers on staff
• Won't provide tester resumes or credentials
• No relevant industry experience
• Unable to provide client references
• Won't provide sample report (redacted)

Process Red Flags:

• Automated-only testing without manual validation
• Generic templates instead of customized reports
• No pre-engagement discovery or scoping call
• Unwilling to sign NDA protecting your data
• No defined communication protocols
• No emergency contact procedures

Engagement Red Flags:

• Offshore testing teams without clear communication
• Subcontracting without disclosure
• No errors and omissions insurance
• Rushed timeline (comprehensive test requires adequate time)

RFP Questions to Ask Vendors

Company and Team

1. How long have you provided penetration testing services?
2. How many penetration testers do you employ full-time?
3. What certifications do your testers hold?
4. Will you provide tester resumes for our engagement?
5. Do you use subcontractors or offshore resources?
6. Can you provide 3 client references in our industry?
7. What errors and omissions insurance coverage do you carry?

Methodology and Process

1. What testing framework do you follow?
2. What percentage of testing is automated vs manual?
3. How do you handle false positives?
4. Do you test exploit chains and lateral movement?
5. How do you prioritize findings in reports?
6. What tools do you use?
7. Do you provide proof-of-concept for findings?

Deliverables and Support

1. Can you provide sample report (redacted)?
2. What deliverables are included in base price?
3. Do you provide remediation validation testing?
4. How long after testing will we receive report?
5. Do you provide presentation to our team?
6. What post-engagement support is included?
7. Are you available for audit support if needed?

Compliance and Legal

1. Have you conducted PCI DSS/HIPAA/SOC 2 penetration tests?
2. Do your reports meet compliance requirements?
3. Will you sign our NDA?
4. What is your data retention and destruction policy?
5. How do you handle discovered compliance violations?

Preparing for Assessment

Pre-Engagement Preparation

2-4 Weeks Before:

• Complete asset inventory
• Identify stakeholders and emergency contacts
• Review and update network diagrams
• Notify SOC team and security monitoring to expect testing
• Brief IT operations on testing windows

1 Week Before:

• Finalize Rules of Engagement
• Sign legal authorization
• Whitelist tester IP addresses (if required)
• Provide credentials if authenticated testing
• Establish communication channels (Slack, email, phone)

During Testing:

• Monitor for alerts about tester activity
• Respond promptly to tester questions
• Document any business interruptions
• Track critical findings for immediate action

Post-Testing:

• Review technical report thoroughly
• Ask questions about unclear findings
• Schedule debrief presentation
• Develop remediation plan with timelines
• Schedule retest for validation

Maximizing Assessment Value

Beyond Basic Compliance

Don't treat penetration testing as checkbox exercise:

• Test Realistic Scenarios: Simulate threats your organization actually faces
• Include Crown Jewels: Ensure testing covers most critical assets
• Purple Team Approach: Have SOC observe testing improving detection capabilities
• Remediation Focus: Prioritize fixing findings over perfect initial security
• Continuous Improvement: Track security improvement year-over-year

Post-Engagement Actions

1. Immediate (24-48 hours): Address critical findings with emergency patching
2. Short-Term (1-4 weeks): Remediate high-severity findings
3. Medium-Term (1-3 months): Address medium-severity findings
4. Quarterly Retest: Validate critical and high findings fixed
5. Annual Reassessment: Comprehensive retest showing security improvement

Taking Action

Organizations should approach penetration testing assessment with:

1. Clear Objectives: Define testing goals (compliance, pre-deployment, risk assessment)
2. Proper Scoping: Include all critical systems without overextending budget
3. Qualified Vendor: Verify certifications, experience, references
4. Detailed RoE: Clear scope, communication, legal authorization
5. Stakeholder Preparation: Brief IT, security, executive teams
6. Remediation Planning: Budget time and resources for fixing findings
7. Validation Testing: Confirm vulnerabilities actually resolved

subrosa provides professional penetration testing services following PTES, OWASP, and NIST methodologies with OSCP and GPEN certified testers averaging 8+ years experience. Our assessments include thorough scoping calls understanding your environment and objectives, clearly defined Rules of Engagement protecting your operations, comprehensive testing combining automated scanning with manual exploitation, detailed technical reports with proof-of-concepts and specific remediation guidance, executive summaries for board presentation, debrief presentations explaining findings, and complimentary remediation validation ensuring fixes are effective. We specialize in compliance-driven testing meeting PCI DSS, HIPAA, SOC 2, and ISO 27001 requirements with auditor-ready documentation.