2.1
Reading the Scope of Work
Before you touch a keyboard, you read the scope. Every time. The scope of work defines what you can test, when you can test it, and who to call when something goes wrong. Miss something here and you’re either testing systems you shouldn’t be, or missing systems you should.
The problem is that scoping documents aren’t always clean. Clients write them in a hurry. IP ranges are wrong. Contacts are incomplete. Testing windows conflict with maintenance schedules nobody told you about. Part of your job as a penetration tester is to read critically and catch any errors that you see.
Here’s what to look for every time:
Target ranges: Do the IP ranges match the engagement description? Is anything suspiciously large or small?
Testing windows: Do they conflict with maintenance, deployments, or business-critical periods?
Contacts: Is every contact named, reachable, and confirmed? Do you have a phone number for emergencies?
Ambiguities: Is anything vague enough that two reasonable people could interpret it differently?
TadiSec has received the scope of work for the Navigating Security Corp engagement. Review the document on the right and flag every section that contains an issue. There are 3 problems to find.
Spot the Issues: Scope of Work
spot-the-issues
Review each section of the scope document below. Click on any section that contains an issue; something missing, ambiguous, or risky. There are 3 issues to find.