Safeguard
Vulnerability Management

How to scope a penetration test and define rules of engag...

A practical guide to scoping a pentest and writing penetration testing rules of engagement, covering targets, timing, methodology, and legal sign-off.

James
Principal Security Architect
8 min read

Every year, security teams schedule a penetration test, hand the vendor a one-line target list, and then spend the first three days of the engagement clarifying what's actually allowed — which IP ranges are live, whether production is fair game, and who to call if a tester accidentally knocks over a database. That confusion is almost always a scoping failure, not a testing failure. Clear penetration testing rules of engagement (RoE) prevent it by turning vague intent ("test our app") into a written contract covering targets, timing, techniques, and escalation paths before anyone touches a keyboard.

This guide walks through a repeatable pentest scoping guide you can reuse for every engagement: how to inventory assets, pick a methodology, draft the RoE document itself, and verify everything holds up once testing starts. By the end, you'll have a template and checklist for how to plan a pentest that protects both your infrastructure and your legal standing.

1. Define Objectives and Testing Type Before Anything Else

Scoping starts with "why," not "what." A pentest driven by a SOC 2 audit deadline looks different from one triggered by a new product launch or a suspected breach. Write down:

  • Driver: compliance requirement (SOC 2, PCI DSS, ISO 27001), contractual obligation, new architecture, or post-incident validation
  • Test type: black-box, gray-box, or white-box
  • Focus: external network, internal network, web/API application, cloud configuration, mobile, or social engineering
  • Success criteria: what "done" looks like — a report, a fixed set of validated findings, or a compliance attestation

Getting this on paper first keeps the scope from ballooning later, because every subsequent decision (which assets, which methodology, how much time) traces back to this objective.

2. Inventory and Classify In-Scope Assets

You can't scope what you haven't inventoried. Pull a current list of every domain, subdomain, IP range, cloud account, and API endpoint that could plausibly be touched, then explicitly mark each as in-scope, out-of-scope, or "ask before touching."

A simple scope definition file keeps this unambiguous and easy to hand to the testing team:

# scope.yaml
engagement: "Q3-2026-external-pentest"
in_scope:
  domains:
    - app.example.com
    - api.example.com
  cidr_ranges:
    - 203.0.113.0/28
  cloud_accounts:
    - aws:111122223333 (prod-web)
out_of_scope:
  domains:
    - status.example.com   # third-party hosted, no auth to test
  cidr_ranges:
    - 203.0.113.16/28       # shared hosting, other tenants present
ask_before_testing:
  - Production database direct access
  - Third-party SSO provider endpoints

If your environment changed since the last audit, run a quick discovery pass to catch drift before finalizing the list:

# confirm what's actually reachable before you commit to a scope
nmap -sL -iL candidate_ranges.txt -oG - | awk '/Up$/{print $2}'
subfinder -d example.com -silent | httpx -silent -mc 200,301,302

Anything discovered here that isn't already accounted for in your asset inventory is a gap — resolve it before signing anything.

3. Choose a Pentest Methodology and Depth

Pick a recognized framework so the tester's approach is auditable and repeatable rather than ad hoc. Most engagements map to one of these pentest methodology steps:

  1. Reconnaissance — passive and active information gathering against in-scope assets only
  2. Scanning and enumeration — service discovery, version fingerprinting, attack surface mapping
  3. Vulnerability identification — automated scanning plus manual analysis
  4. Exploitation — controlled proof-of-concept exploitation, no destructive payloads without prior approval
  5. Post-exploitation — privilege escalation and lateral movement testing, capped by explicit rules on pivoting
  6. Reporting — findings, severity ratings, evidence, and remediation guidance

Reference a named standard (PTES, OWASP Testing Guide, NIST SP 800-115, or MITRE ATT&CK for adversary emulation) directly in the contract. This matters later: if a finding is disputed, you can point to the documented methodology rather than arguing from memory.

4. Draft the Penetration Testing Rules of Engagement Document

This is the artifact that actually protects you. The penetration testing rules of engagement document should be signed by both the client and the testing team before a single packet is sent, and it needs to answer every question that could come up mid-engagement, not just the obvious ones.

Minimum sections to include:

1. Parties and points of contact (technical + business)
2. Authorized scope (link to scope.yaml or equivalent)
3. Testing window (start/end date, allowed hours, timezone)
4. Permitted techniques (e.g., no DoS, no social engineering unless separately authorized)
5. Data handling rules (what happens to any sensitive data accessed)
6. Communication protocol (status cadence, secure channel)
7. Emergency stop procedure and escalation contacts
8. Legal authorization / "get out of jail" letter
9. Reporting format and delivery deadline
10. Signatures from both parties

Be explicit about techniques that are off by default: denial-of-service testing, physical security testing, and social engineering (phishing, vishing) should each require a separate, affirmative authorization line — never assume they're included just because "full scope" was mentioned in a kickoff call.

5. Define Testing Windows, Communication, and Escalation

Ambiguity about timing causes more mid-test incidents than any technical issue. Set explicit windows and a communication cadence in the RoE itself:

Testing window: 2026-07-14 09:00 – 2026-07-25 17:00 America/New_York
Blackout periods: none (or list maintenance windows, payroll runs, etc.)
Status updates: daily Slack summary in #pentest-2026-q3 by 17:00
Critical finding SLA: notify technical contact within 1 hour of discovery
Emergency stop phrase: "STOP TESTING" posted in shared channel, effective immediately

Name a primary and backup contact on both sides with phone numbers, not just email — if a tester trips a production alert at 2 a.m., email response time isn't fast enough.

6. Secure Legal Sign-Off and Authorization

Before testing begins, confirm:

  • A signed authorization letter naming the specific tester(s) or firm, scope, and dates
  • Cloud provider notification where required (AWS, GCP, and Azure each have penetration testing policies; some require advance notice for specific test types)
  • Confirmation that any third-party-hosted or SaaS assets in scope have been cleared with that vendor — you can't authorize testing against infrastructure you don't own
  • Insurance/liability language reviewed by legal, especially for exploitation and post-exploitation phases

Skipping this step is the single most common way an authorized pentest turns into an unauthorized access incident on paper, even when the technical work was done correctly.

Troubleshooting and Verification

Run through this checklist in the 24 hours before kickoff and again on day one of testing:

  • Scope mismatch: Does every asset the tester can reach match scope.yaml? Re-run discovery and diff against the authorized list — unexpected hosts almost always mean shared infrastructure or stale DNS.
  • Out-of-band assets flagged: If scanning surfaces an asset that redirects to a third-party or shared IP, pull it from scope immediately and document the exclusion in the RoE addendum rather than testing "just to check."
  • No response to status updates: If the daily cadence defined in the RoE goes silent for more than one cycle, treat it as an escalation trigger, not a scheduling inconvenience — pause testing until contact is reestablished.
  • Unclear "stop testing" authority: Confirm before day one who on the client side can actually invoke the emergency stop, and that testers have that contact's direct line, not just a shared inbox.
  • Findings outside agreed severity handling: If a tester finds a critical issue mid-test, verify the notification SLA was met and that remediation guidance was communicated through the agreed channel, not an ad hoc email thread.
  • Post-engagement cleanup: Confirm any test accounts, webshells, or persistence mechanisms created during exploitation were removed, and get written confirmation from the tester that cleanup is complete.

If any of these checks fail, don't proceed to the next testing phase until the RoE is amended and re-acknowledged by both parties — a verbal exception is not a substitute for an updated document.

How Safeguard Helps

Scoping a pentest well depends on knowing your actual attack surface, not the one from last year's architecture diagram. Safeguard continuously maps your software supply chain — dependencies, build pipelines, container images, and exposed services — so the asset inventory you hand to a testing team reflects what's really running in production today, not what's documented in a wiki that hasn't been touched since the last audit.

During scoping, teams use Safeguard's dependency and SBOM visibility to identify which components and services are internet-facing or handle sensitive data, helping prioritize what belongs in-scope versus what's genuinely out of bounds. After the engagement, Safeguard's continuous monitoring tracks whether the vulnerabilities a pentest surfaced get remediated, and flags new exposures introduced between test cycles — so the rules of engagement you wrote for one point-in-time assessment don't become the only visibility you have until next year's test.

If you're building out a recurring pentest program, pairing a disciplined RoE process with continuous attack-surface and supply chain monitoring means fewer surprises during scoping and faster validation that findings actually got fixed.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.