top of page
Writer's pictureChris Odom

HOW TO SCOPE YOUR PENETRATION TEST

If you’re reading this, then you probably don’t need to be convinced that you need to do some penetration testing.

The question now is:

  • What should I penetration test?

  • How much of “it” should I penetration test?

  • Where do I start?

And, I’ll answer your questions with a question of my own… What are your goals?

  • Are you doing a penetration test for compliance reasons?

  • Are you doing a penetration test to test how mature your incident response procedures are?

  • Are you doing a penetration test to leverage the results for some targeted budget?

  • Are you doing a penetration test to check out your internal exposure? External exposure? Patching?

  • Are you doing a penetration test to validate code as part of your software development process?

  • Are you doing a penetration test to verify your sensitive data is protected?

It may be that one (or all) of these things are part of what you want to achieve and it highlights why it’s so important to really think through the scope of what you want/need to be done as part of your penetration test.


But, before I answer your questions you need to know that scoping is step 1 in our 9-step pentest pathway. We have a methodology that has been proven time and time again in its usefulness. You can create your own methodology, you can wing it, you can borrow something else… but why? This is already done and you can download it for free. Click here to request to download a pdf version of the Perfect Pentest Map.



the perfect pentest map

What Should I Penetration Test?

You can’t even begin to test your organization's security if you don’t know what you’re trying to keep secure (think critical assets). This is foundational in determining the scope of the security effort. Ask yourself, “Which applications and services (including business services) are critical for my organization?”

  1. Identify the critical assets and business processes.

  2. Determine the assets’ value to the organization with a “ranking” system.

  3. Set appropriate levels of protection for each asset type.

  4. Understand what data these critical applications create and where this data is stored and backed up.

  5. Once you know these things you should have a good idea of which networks, IP ranges, databases, user accounts, web applications, environments, established security controls, etc will be part of the penetration test.

How Much Should I Penetration Test?


pentest scoping template

Most people don’t have infinite time and/or budgets, so you’ll need to decide whether you want to go narrow and deep, wide and deep, narrow and shallow, or wide and shallow. At a very high level, this is what will ultimately determine the amount of effort (and money) needed to conduct a useful test.

So, how do you determine how wide and/or deep to go? We can’t really answer that for you so you’ll want to revisit your list of questions that you’re trying to answer. Go as wide and as deep as you need to get the answers you’re looking for. Once you have your questions we can certainly help determine precisely what that means in terms of effort.

NOTE: Basic network testing may meet the minimum thresholds for some compliance regulations but if that’s all you do, expect to lose data very soon. Web applications, APIs, and databases typically have direct access to sensitive data. And, Web applications, APIs, databases typically have direct access to the internet via web ports. That means you have connected your sensitive data to the Internet and the only thing in-between is your application security. Network testing is rarely enough.


Where Do I Start?


We like to start from the outside in… unauthenticated and then authenticated. But, the approach will always depend on what you’re testing. Testing web applications is much different than doing external network scans. Regardless of what you need to be done, we have a proven scoping process that we go through with you.


Every company defines Penetration Testing differently. One company may say they do Penetration Testing but, all they do is basic scanning. Make sure you know what you are buying. The devil is in the details. Emagined Security defines our testing option in terms of levels (0 through 3). 90% or more of our tests are at Level 2 (you can see our levels here).


Let’s get started! Give us a call and we can help you define the scope of your next engagement. And, this isn’t a sales call. We don’t do that. 99% of our business comes from past clients and referrals. We honestly just want to see if we can help.


If you want to get crystal clear on the ONE THING you should be doing right now to exceed your Pentest audit, compliance, and security mandates within 30 days


(without convoluted methodologies, confusing findings reports, or obscure remediation steps)

bottom of page