Penetration test scope

A sample, anonymized document. An excerpt from a Statement of Work and Rules of Engagement.
About this document. It is an excerpt from a real one, stripped of client data and anything sensitive. Every name, domain, and IP address here is fictional (domains sit in the .example zone, the addressing is anonymized). We are showing it so you can see how we draw the line for a test and what we deliberately put in the “out of scope” section. The commercial layer (exact effort, pricing, day-by-day schedule) is set per engagement.
1. Engagement context
The client profile and the goal of the test shape where we draw the line. So we start with context, not with a tool list.
2. Test goals
We write the goals in the language of the client's risk, not in technical terms. They decide what matters and what is secondary.
- Determine whether someone on the internet can gain unauthorized access to platform users' data.
- Verify data isolation between tenants (broken access control, IDOR, horizontal and vertical authorization flaws).
- Test how well login, password reset, and session management hold up.
- Deliver proof and risk priorities for a remediation plan, plus material for the conversation with a DORA auditor.
3. Test scope (in scope)
Every asset is named. There is no line item like “everything else” or “the rest of the infrastructure.” If it is not on this list, it does not get tested.
4. Test type and perspective
5. Methodology and standards
The methodology exists so the result is repeatable and verifiable, not dependent on what a given tester felt like doing that day.
- PTES as the process for running the test.
- OWASP WSTG 4.x for the web application and the partner portal.
- OWASP API Security Top 10 for the API.
- OWASP MASTG for the mobile app.
- NIST SP 800-115 for the external infrastructure.
- Risk classification and priorities per CVSS 4.0.
6. Rules of Engagement
7. Out of scope
This is the most important part of the document. It is not a list of things we cannot do. It is a list of deliberate decisions, each with a reason.
What we do when we find something past the line. If reconnaissance turns up a meaningful asset outside the scope (say, a forgotten subdomain with an admin panel), we do not test it without extending the engagement. We report it separately as an observation, with a description of the risk. The line protects both sides, but we will not pretend a problem does not exist just because it sits a few feet past the boundary.
8. Effort and deliverables
The number of person-days is the real ceiling on how deep a test can go. We state it plainly, because a scope with no time attached is an intention, not a plan. The figures below are examples.
What the client gets at the end:
- A technical report with proof: reproduction steps, a working proof of concept, priorities per CVSS 4.0, and a concrete fix path for each vulnerability.
- An executive summary in the language of business risk, ready for a conversation with the board and the auditor.
- A session to walk through the results with the client's team.
- A retest of the fixes and written confirmation that the vulnerabilities are gone.
9. Assumptions and conditions
- The client provides test accounts, access to environments, and mobile builds before work starts.
- The client confirms it has the right to commission a test of the listed assets.
- Any change to the scope during the work needs written agreement (a change request).
- Everything is covered by an NDA. When the work is done, test data is deleted per the agreed retention policy.
Book a free 30-minute consultation, no obligation. After the call with a consultant you will have a first draft of a scope that makes sense.