Pre-Engagement Activities

Why Do You Need to Know This?

Pre-engagement is where penetration tests succeed or fail—before you even touch a computer. Poor scoping leads to missed vulnerabilities or testing the wrong systems. Bad communication creates unrealistic expectations. Weak contracts leave you legally exposed. And rushed planning results in incomplete testing that misses critical issues. Getting these fundamentals right determines whether you deliver value or waste everyone's time.

Scoping and Requirements Gathering

Defining What You're Actually Testing

The Scope Problem: Clients often say "test our network" or "check our security" without understanding what that means. Your job is to translate vague requests into specific, testable targets.

Technical Scope Definition:

• IP Ranges: Exactly which network ranges are in scope (192.168.1.0/24, not "our internal network")

• Domain Names: Specific domains and subdomains you can test

• Applications: URLs, APIs, and web applications by name and version

• Physical Locations: Which offices, data centers, or facilities are included

• User Accounts: Whether you can test with provided credentials or create test accounts

What's Out of Scope:

• Third-Party Services: Customer systems, partner networks, cloud providers

• Production Data: Live customer information, financial records, personal data

• Critical Systems: Emergency services, life safety systems, revenue-critical applications

• Denial of Service: Unless specifically approved with detailed constraints

Understanding Business Context

Why This Matters: A SQL injection in a test database isn't the same as one in the production customer database. Understanding business impact helps you prioritize findings.

Key Questions to Ask:

• What type of data does this system handle? (customer data, financial records, intellectual property)

• How critical is system availability? (can we test during business hours?)

• What compliance requirements apply? (financial regulations, healthcare privacy, etc.)

• What specific threats are you most concerned about? (competitors, nation-states, criminals)

• What previous security incidents have you experienced?

Business Impact Assessment:

• High Impact: Customer-facing systems, financial applications, authentication services

• Medium Impact: Internal tools, development environments, backup systems

• Low Impact: Test systems, staging environments, documentation sites

Types of Penetration Tests

External Testing: Testing from outside the network perimeter

• Simulates internet-based attackers

• Tests firewalls, web applications, public services

• No internal network access initially

Internal Testing: Testing from inside the network

• Simulates malicious insiders or compromised accounts

• Tests internal segmentation and lateral movement

• Assumes initial network access

Web Application Testing: Focused on specific applications

• OWASP methodology and tools

• Authentication, authorization, input validation

• Business logic and workflow testing

Wireless Testing: WiFi and wireless infrastructure

• Encryption strength and configuration

• Rogue access point detection

• Wireless client security

Social Engineering: Human-focused attacks

• Phishing campaigns and email security

• Phone-based pretexting attacks

• Physical security and tailgating

Red Team Assessment: Comprehensive adversary simulation

• Multiple attack vectors simultaneously

• Stealth and persistence requirements

• Detection and response testing

Client Communication

Setting Proper Expectations

Managing Unrealistic Expectations: Many clients expect you to "hack everything" or find specific vulnerabilities. Your job is to educate them about what penetration testing can and cannot accomplish.

What Penetration Testing Is:

• Point-in-time security assessment

• Sampling of potential vulnerabilities

• Validation of security controls

• Risk identification and prioritization

What Penetration Testing Is Not:

• Guarantee that no vulnerabilities exist

• Comprehensive security audit

• Compliance certification

• Ongoing security monitoring

Communication Protocols

Regular Check-ins: Establish how often you'll communicate progress

• Daily updates for critical findings

• Weekly status reports for longer engagements

• Immediate notification for emergency situations

Escalation Procedures: Who to contact when things go wrong

• Technical Contact: IT administrator who can resolve technical issues

• Business Contact: Decision-maker who can authorize scope changes

• Emergency Contact: 24/7 contact for critical security findings

• Legal Contact: Legal counsel for contract or liability issues

Reporting Timeline: When and how you'll deliver results

• Preliminary Findings: Critical vulnerabilities requiring immediate attention

• Draft Report: Complete technical findings for review and clarification

• Final Report: Polished deliverable with executive summary and recommendations

• Presentation: Executive briefing and technical deep-dive sessions

Managing Scope Changes

Scope Creep: Clients often want to add systems or change requirements mid-engagement

• All scope changes must be documented in writing

• Additional work requires contract amendments

• Timeline and cost impacts must be clearly communicated

Discovery of New Systems: What happens when you find undocumented systems

• Report discovery immediately to technical contact

• Request written authorization before testing new systems

• Document new systems in final report even if not tested

Documentation and Contracts

Essential Contract Elements

Statement of Work (SOW):

• Objectives: What the client wants to accomplish

• Scope: Exactly what systems and networks you'll test

• Methodology: Which frameworks and standards you'll follow

• Deliverables: What reports and presentations you'll provide

• Timeline: Start date, milestones, and delivery dates

• Acceptance Criteria: How success will be measured

Legal Protection:

• Authorization: Explicit permission to test specified systems

• Liability Limitations: Caps on potential damages you could be responsible for

• Indemnification: Protection against third-party claims

• Force Majeure: Protection against unforeseeable circumstances

Technical Specifications:

• Testing Methods: Which tools and techniques are approved

• Traffic Limits: Rate limiting to avoid service disruption

• Data Handling: How to manage sensitive information discovered

• Reporting Requirements: Format, content, and delivery specifications

Rules of Engagement (RoE)

The RoE document provides detailed operational guidance:

Technical Constraints:

• Approved Tools: Specific scanners, frameworks, and utilities

• Prohibited Actions: Denial of service, data modification, social engineering

• Rate Limiting: Maximum requests per second to avoid impact

• Safe Words: Codes to immediately stop testing if problems occur

Operational Procedures:

• Testing Windows: Specific days and hours when testing is permitted

• Communication Protocols: How to report findings and coordinate activities

• Emergency Procedures: What to do if you cause an outage or find active attacks

• Documentation Standards: What evidence you can collect and how to handle it

Example RoE Clause: "Penetration testing is authorized against systems listed in Appendix A during business hours (9 AM - 5 PM local time) Monday through Friday. Scanning rates must not exceed 10 requests per second per target. Any system outage or suspected active compromise must be reported immediately to the emergency contact. No denial-of-service testing is permitted without separate written authorization."

Data Handling Requirements

Sensitive Data Discovery: What to do when you find sensitive information

• Stop and Notify: Don't continue accessing sensitive data unnecessarily

• Document Safely: Record the existence and location without copying content

• Secure Handling: Encrypt and protect any evidence you must collect

• Proper Disposal: Securely delete all client data after engagement completion

Data Retention Policies:

• How long you can retain test data and findings

• Secure storage requirements for sensitive information

• Client rights to request data deletion

• Backup and archival procedures

Test Planning and Timeline

Engagement Phases and Duration

Phase 1: Reconnaissance and Information Gathering (20-30% of time)

• Passive reconnaissance and OSINT collection

• Active scanning and service enumeration

• Network mapping and asset discovery

• Initial vulnerability identification

Phase 2: Vulnerability Analysis and Exploitation (40-50% of time)

• Detailed vulnerability assessment

• Exploitation attempt and proof-of-concept development

• Privilege escalation and lateral movement

• Persistence and access maintenance

Phase 3: Documentation and Reporting (20-30% of time)

• Evidence compilation and organization

• Risk assessment and business impact analysis

• Report writing and quality assurance

• Presentation preparation and delivery

Timeline Estimation Factors

Scope Complexity:

• Simple: Single web application or small network (1-2 weeks)

• Medium: Multiple applications or medium network (2-4 weeks)

• Complex: Large enterprise environment or multiple locations (4-8 weeks)

Testing Depth:

• Basic: Automated scanning with manual verification (faster)

• Standard: Manual testing with custom exploit development (moderate)

• Advanced: Deep analysis with custom tools and techniques (slower)

Client Responsiveness:

• Responsive: Quick answers to questions and scope clarifications

• Slow: Delayed responses that extend timeline

• Non-responsive: Significant delays requiring timeline adjustments

Resource Planning

Personnel Requirements:

• Lead Tester: Senior practitioner responsible for technical execution

• Junior Tester: Support for scanning, research, and documentation

• Specialist: Expert in specific technologies (web apps, Active Directory, etc.)

• Project Manager: Coordination, communication, and timeline management

Tool and Infrastructure Needs:

• Testing Platform: Laptop or workstation with penetration testing tools

• Network Access: VPN or physical access to client environment

• Cloud Resources: Virtual machines for testing and tool hosting

• Communication Tools: Secure channels for reporting sensitive findings

Risk Management During Planning

Technical Risks:

• System Outages: How to minimize impact on business operations

• Data Exposure: Procedures for handling sensitive information discovery

• Detection: Balancing stealth requirements with thorough testing

• Scope Expansion: Managing requests for additional testing

Business Risks:

• Timeline Delays: Buffer time for unexpected discoveries or complications

• Resource Conflicts: Availability of client personnel for coordination

• Regulatory Issues: Compliance requirements that affect testing methods

• Third-Party Dependencies: External systems or vendors that affect scope

Coordination with Client Teams

IT Operations:

• Notification about testing activities to avoid interference

• Coordination with maintenance windows and system changes

• Emergency contact procedures for technical issues

Security Team:

• Understanding of current security monitoring and response capabilities

• Coordination to avoid triggering unnecessary incident response

• Knowledge sharing about known issues and previous assessments

Management:

• Expectations about interim reporting and communication

• Authority for scope changes and emergency decisions

• Scheduling for final presentation and executive briefing

Success Criteria: Clear metrics for engagement success

• Coverage: Percentage of systems successfully tested

• Findings: Quality and relevance of identified vulnerabilities

• Documentation: Completeness and clarity of final report

• Client Satisfaction: Meeting stated objectives and expectations

Remember that thorough pre-engagement activities prevent most problems during testing. Time invested in planning, scoping, and communication pays dividends in smoother execution and better results. A well-planned engagement runs itself; a poorly planned one becomes a constant crisis.