Collaboratively, the scope of a penetration test should always be customized to suit the unique nature of the business and understanding of their risk profile. A variety of considerations, both internal and external to an organization, impact and guide the scope of a penetration test:

  • The nature of the business and types of products/services offered
  • Compliance requirements and deadlines
  • Geographic considerations
  • Organizational structure
  • The organization’s strategic plans
  • Customer expectations, especially when an organization acts as a custodian of that customer’s data
  • The value of the company’s assets
  • Redundancy in the environment that may impact sampling thresholds
  • Network segmentation and connectivity
  • The age of different components of the environment
  • Recent or planned changes to the environment

All of these factors need to be discussed and understood to make sure that the scope is appropriate and to ensure that the testing is focused in the areas of the environment that warrant it.

BLUE Pen Test Report