Skip to main content

Pre-Engagement

What does Pre-Engagement phase entails?

Before hands-on penetration test, it’s crucial that both parties — the client company and the penetration testing team — align on the boundaries, goals, and legal requirements of the engagement. This page highlights what is typically covered during the pre-engagement phase, including the scope, rules and logistics of the engagement.

  • Objectives and Methodology

    The first step in the pre-engagement phase is to clearly define the goals of the penetration test. The client usually specifies whether the test is aimed at assessing compliance with regulatory standards or conducting a vulnerability assessment. The details about the type of testing — for example, black-box or white-box penetration testing are also included. Depending on the client's technical understanding, the methodology to be used, including the specific tactics for the test, is also discussed.

  • Scope of Work (SoW)

    The Scope of Work (SoW) is one of the most critical elements of the pre-engagement phase. It defines the boundaries of the test, specifying what will and won’t be tested. This ensures that both parties are on the same page and that the penetration test is conducted within the agreed-upon environment. Questions like whether internal networks, production databases, or specific IP address ranges will be tested are addressed. Proper scoping also helps prevent "scope creep" — the expansion of the engagement beyond what was initially agreed upon.

  • Rules of Engagement (RoE)

    The Rules of Engagement (RoE) establish the ground rules for the penetration test. This includes defining the testing timeline, specifying the location of the testing, and identifying time windows when testing will occur. RoE also covers communication protocols, including primary and emergency contact information, as well as security controls that could potentially disrupt the testing. Additionally, RoE outlines the IP addresses or networks from which testing will originate.

  • Non-Disclosure Agreement (NDA)

    During the engagement, sensitive information, such as system vulnerabilities, attack methods, and data, may be uncovered. To ensure that this information remains secure, a Non-Disclosure Agreement (NDA) is signed. The NDA ensures that the tester cannot disclose any confidential information found during the test to unauthorized parties, protecting both the client and the testing team.

  • Master Services Agreement

    Although the Master Services Agreement (MSA) isn’t specific to the penetration test itself, it provides the legal framework for the entire relationship between the client and the testing team. The MSA outlines key aspects such as payment terms, liability, intellectual property rights, and the responsibilities of both parties. It ensures that both the client and the penetration testing team are clear about their respective obligations and legal responsibilities.