How to Scope a Penetration Test

Scoping a penetration test can be challenging, particularly if it’s the first time you’re commissioning testing for your organisation. It may not be immediately obvious what types of testing you need and what systems should be included.

In this blog, we’ll cover the drivers for testing, the most common types of testing as well as the most common approaches.

But before we dive in, it’s essential to note that most clients won’t test everything. Some organisations will focus testing on their highest risk systems (such as those that are externally facing), while others will vary the frequency of the testing to ensure that lower risk systems are tested less frequently.


Drivers for Testing

When trying to understand your scoping requirements, exploring the drivers for a penetration test is a good place to start. Is testing being driven by compliance/has it been requested by a client? What systems have been requested to be tested and does the penetration test need to cover certain frameworks such as the OWASP Top 10? Perhaps testing has been driven by a security incident, in which case you may want to prioritise systems that were involved.


Risk Assessment

It’s also important to conduct a risk assessment ahead of scoping to identify and prioritise your organisation’s IT risks and the associated systems. Some systems, such as those hosting internet-facing services will be at a higher risk of compromise than those only hosting services internally on the private network. Similarly, the rich functionality offered by any custom-built web applications increases the likelihood of a major vulnerability being present and can also put them at a higher risk of compromise. Understanding where your valuable assets are held and which are most at risk can allow you to identify where testing efforts should be focussed.


Types of Penetration Testing

External Network Testing: Involves testing your internet-facing services to identify vulnerabilities that an attacker may use to compromise your external services, internal network, and/or company data. Typically a pentest provider will want to know how many IP addresses are in scope and what services are accessible at these addresses.

Internal Network Testing: Involves testing your internal network to identify vulnerabilities that attackers can use to escalate their privileges and potentially compromise the domain. You may be asked how many subnets are in scope (and their locations), how many hosts are on each subnet, and whether you utilise Active Directory.

Wireless Testing: Involves testing your wireless networks/access points to identify whether an attacker is able to gain access. Activities involve looking for rogue access points and testing the configuration/encryption of the wireless protocols. You may be asked how many SSIDs are in scope and what sort of cryptographic protocols are in use.

Web Application Testing: Involves testing custom-built web applications to identify any vulnerabilities that may impact the confidentiality, integrity, and availability of the application and/or its data. Common vulnerabilities identified include cross-site scripting (XSS), SQL injection and authentication/access control flaws. You may be asked how many unique functions/backend calls the application makes, how many major user roles there are, and what technology stack is in use.

Mobile Application Testing: Involves evaluating the security of mobile applications to identify vulnerabilities in the code and backend API calls. You may be asked whether the apps are hybrid or native, whether there is any obfuscation or root/jailbreaking detection in place, and how many backend calls the application makes to the APIs.


Testing Approaches

Black-Box Testing: The approach involves testing with little or no prior knowledge about the applications/services in scope. No privileged access is provided. This approach is typically taken during external network testing and provides the most realistic idea of what an attacker is able to accomplish.

Grey-Box Testing: The approach involves testing with some limited allowances, for example, credentials for privileged access to a web application. This approach is typically taken with web/mobile application and internal network testing and delivers a more thorough test as it allows for an examination of vulnerabilities that may not have been reachable/identifiable during black-box testing.

White-Box Testing: This testing approach involves providing the tester with full access to system information including source code, network topologies and architectural documentation. This approach may be taken during application testing or internal network testing and can help to identify additional vulnerabilities. That said, this testing approach doesn’t mimic what an attacker could do because typically they won’t have access to full system information.


Predatech is a cyber security consultancy that offers a range of services including CREST accredited penetration testing and Cyber Essentials/Cyber Essentials Plus assessments. What makes us different? We combine expert cyber security with great customer service and value for money. Please contact us if you’re interested in a free consultation.

Latest Posts