Pre-Engagement
The foundation of any professional penetration test. Proper pre-engagement ensures legal protection, clear expectations, and a successful assessment.
⚖️ Why Pre-Engagement Matters
Legal Protection: Written authorization is the difference between penetration testing and hacking
Clear Expectations: Scope prevents disputes and ensures client gets what they need
Professional Standards: Proper documentation separates amateurs from professionals
Risk Management: Define boundaries to prevent unintended business impact
⚠️ Legal Reality: Testing without authorization can result in criminal charges under computer crime laws (CFAA in the US, CMA in the UK, etc.), even if you find vulnerabilities.
Critical Legal Requirement
Never begin any testing without written authorization. Unauthorized penetration testing
is a criminal offense in most jurisdictions and can result in severe legal consequences.
🛠️ Professional Planning Tools
Scope Definition
Clearly defining the scope prevents misunderstandings and ensures both parties agree on what will be tested.
In-Scope Items
Document exactly what is included in the assessment:
| Item Type | Examples | Details to Capture |
|---|---|---|
| Domains | example.com, *.example.com | Include/exclude subdomains |
| IP Ranges | 192.168.1.0/24, 10.0.0.1-10.0.0.50 | CIDR notation or range |
| Applications | Web app, API, Mobile backend | URLs, endpoints, versions |
| Environments | Production, Staging, Development | Access credentials if needed |
| Authentication | User roles to test | Admin, User, Guest accounts |
Out-of-Scope Items
Equally important - document what is NOT to be tested:
- Third-party services and CDNs (unless explicitly authorized)
- Physical security testing
- Social engineering of employees (unless agreed)
- Denial of Service (DoS) testing
- Production databases with real customer data
- Partner/vendor systems
Authorization Documentation
Obtain written authorization from someone with the legal authority to approve testing. This typically includes:
Authorization Letter Template
text
PENETRATION TESTING AUTHORIZATION LETTER
Date: [DATE]
Project Name: [PROJECT NAME]
This letter serves as formal authorization for [COMPANY/TESTER NAME]
to conduct penetration testing activities against the following systems
owned by [CLIENT ORGANIZATION]:
AUTHORIZED TARGETS:
- [List all in-scope targets]
TESTING PERIOD:
Start Date: [START DATE]
End Date: [END DATE]
Testing Hours: [e.g., 24/7 or Business Hours Only]
AUTHORIZED ACTIVITIES:
- Vulnerability scanning
- Manual penetration testing
- [List specific activities]
EXCLUDED ACTIVITIES:
- [List any restrictions]
EMERGENCY CONTACTS:
Primary: [NAME] - [PHONE] - [EMAIL]
Secondary: [NAME] - [PHONE] - [EMAIL]
AUTHORIZATION:
I, [AUTHORIZER NAME], [TITLE], hereby authorize the above-described
penetration testing activities.
Signature: _______________________
Date: ___________________________Tip
Always get the authorization signed by someone with actual authority - typically a C-level executive,
IT Director, or Legal Counsel. A project manager may not have the legal authority to authorize testing.
Rules of Engagement (RoE)
The Rules of Engagement document defines how the test will be conducted:
Testing Parameters
- • Test Type: Black-box, Gray-box, or White-box
- • Timing: Business hours or after-hours
- • Notification: Announced or unannounced
- • Approach: Aggressive or cautious
Communication Protocol
- • Status Updates: Daily, weekly, or milestone-based
- • Critical Findings: Immediate notification process
- • Escalation Path: Who to contact and when
- • Secure Channels: Encrypted email, secure portal
Testing Types Explained
| Type | Knowledge Level | Simulates | Best For |
|---|---|---|---|
| Black-box | No prior knowledge | External attacker | Real-world attack simulation |
| Gray-box | Partial knowledge (credentials, docs) | Insider threat / compromised user | Efficient testing with context |
| White-box | Full knowledge (source code, architecture) | Comprehensive code review | Maximum coverage |
Non-Disclosure Agreement (NDA)
An NDA protects both parties by ensuring confidentiality of:
- Vulnerabilities discovered during testing
- Client's proprietary information and architecture
- Testing methodologies and tools used
- All reports and documentation produced
Data Handling
Establish clear procedures for handling any sensitive data encountered during testing.
This includes customer PII, financial data, or healthcare information. Document how such
data will be reported without exposing the actual contents.
✅ Pre-Engagement Testing Checklist
📋 Legal Documentation
🎯 Scope Definition
📞 Communication Setup
🔧 Technical Setup
Sample Engagement Timeline
| Phase | Duration | Deliverable |
|---|---|---|
| Pre-Engagement | 1-2 days | Signed agreements, scope document |
| Reconnaissance | 1-2 days | Asset inventory, attack surface map |
| Scanning & Enumeration | 2-3 days | Vulnerability list, service inventory |
| Exploitation | 3-5 days | Proof of concepts, access documentation |
| Post-Exploitation | 1-2 days | Escalation paths, impact assessment |
| Reporting | 2-3 days | Final report, executive summary |
| Total | 10-17 days | Complete assessment package |
📖 External Resources
PTES Pre-Engagement Guide
Industry-standard pre-engagement methodology
OWASP Testing Guide
Comprehensive web security testing methodology
SANS PTES Poster
Quick reference for penetration testing phases
NIST SP 800-115
Technical guide for security testing and assessment
Next Steps
Once all pre-engagement activities are complete and documented, you're ready to begin
the Reconnaissance phase. Proceed to the next section to learn about
information gathering techniques.