For customers· 4 min read

Scope of Work: What Should Be Covered in Penetration Testing?

Understand penetration testing scope. Learn what should and shouldn't be tested, and how to define clear assessment boundaries.

Penetration testing reveals what attackers can actually access in your systems—not just what your security policies say should be protected. A vague scope leads to incomplete testing, missed vulnerabilities, and wasted budget. Knowing exactly what to demand from a pen test vendor is the difference between genuine security and false confidence.

Why Scope Matters in Penetration Testing

Your penetration testing scope is the contract between you and the security firm. It defines what systems, applications, networks, and user groups are fair game for testing. Without clear boundaries, testers may skip critical assets, test only surface-level infrastructure, or miss the vulnerabilities that matter most to your business. A well-defined scope also protects both parties: it prevents scope creep that inflates costs and ensures the testing team knows legal and technical limits before they begin.

Key Areas to Include in Your Scope

Network Infrastructure Specify whether internal networks, external-facing systems, cloud environments (AWS, Azure, GCP), or all three should be tested. Include VPNs, firewalls, and load balancers. If you run hybrid infrastructure, be explicit: "Test production AWS VPCs and on-premises data center networks, but exclude development environments."

Applications and Web Services List every application by name and URL. Distinguish between critical business applications and lower-risk systems. For example: "Test our customer-facing web portal, mobile API, and internal HR system, but exclude the legacy billing system scheduled for retirement." Include third-party integrations and APIs your application depends on.

Databases and Data Storage Clarify which databases should be tested. Most scopes include production databases, but you'll need to decide on test databases containing masked production data. Cloud storage buckets, file shares, and backup systems should be explicitly included or excluded.

User Groups and Authentication Define which user roles the testers should attempt to compromise: unauthenticated users, standard employees, admin accounts, contractors, or all of the above. Authentication method matters—test SAML, OAuth, multi-factor authentication, and legacy username/password systems separately if they coexist.

Physical Security (If Applicable) If your business requires it, state whether testers can attempt physical access to data centers, office buildings, or equipment. This includes social engineering, badge cloning, or dumpster diving for credentials.

Testing Methodology and Depth

Specify your testing approach:

  • Black-box testing: Testers have no prior knowledge of your systems (most realistic for external threats)
  • White-box testing: Testers receive architecture diagrams, source code, and documentation (finds deeper vulnerabilities)
  • Gray-box testing: Testers get limited information like valid user credentials (hybrid approach, often the most practical)

Also define testing intensity. A basic scan of web applications might cost $3,000–$8,000 and take 1–2 weeks. A comprehensive infrastructure test covering networks, applications, and physical security typically runs $15,000–$50,000 over 4–8 weeks. High-risk industries (finance, healthcare) often budget $50,000–$150,000 for full annual assessments.

Rules of Engagement and Restrictions

Your scope must include what testers cannot do, even if it would find vulnerabilities:

  • No testing on specific dates (maintenance windows, peak business hours)
  • No denial-of-service attacks or resource exhaustion unless explicitly authorized
  • No data exfiltration beyond proof-of-concept screenshots
  • No testing of third-party systems without explicit written permission
  • Exclusion of HIPAA-covered data, payment card data, or personal information they shouldn't access

Clearly state whether testers can attempt to crack passwords, modify data, or create backdoors—even temporarily. These actions find real weaknesses but carry operational risk if not carefully controlled.

Remediation and Reporting Expectations

Define what happens after testing. Will the vendor provide:

  • A single final report or interim findings during testing?
  • Executive summary plus technical detail?
  • Severity ratings (CVSS scores)?
  • Remediation guidance for each finding?
  • Re-testing after you patch vulnerabilities?

Many firms charge $2,000–$5,000 for follow-up testing to verify fixes. Budget for this upfront.

Timeline and Availability

Specify your preferred testing window. Most vendors book 2–4 weeks in advance. If you need testing during normal business hours, confirm the vendor can work with your IT team without disrupting production. After-hours or weekend testing usually costs 20–30% more.

Getting Help With Scope Definition

If you're unsure what to include, start by mapping your critical assets: what systems store customer data, process transactions, or support core operations? Those belong in your scope. You can compare detailed proposals from multiple vendors on platforms like Mercoly, which helps you find and evaluate penetration testing providers side-by-side—a shortcut to understanding what different firms actually deliver for your budget.

Frequently Asked Questions

Q: Should we include third-party vendors and SaaS platforms in our pen test scope? You should test your integration points and configurations, but you can't legally test a vendor's infrastructure without their permission; instead, request their own pen test reports or security certifications (SOC 2, ISO 27001).

Q: How often should we update our scope? Review and update your scope annually or whenever you add significant new systems, migrate to the cloud, or change authentication methods.

Q: Can we reduce costs by limiting scope to just web applications? Yes, application-only testing costs 40–60% less than full infrastructure testing, but you'll miss network vulnerabilities and insider threats—balance cost against your actual risk tolerance.

Use Mercoly to compare quotes from vetted penetration testing vendors and find the right scope and budget for your organization.

Looking for Penetration Testing & Vulnerability Assessment?

Compare trusted Penetration Testing & Vulnerability Assessment providers on Mercoly — browse profiles, products, and services and reach out in one place.

Related articles

More in IT Services & Managed Support · Penetration Testing & Vulnerability Assessment