Pentest Scope: How to Determine the Testing Scope?

usd AG News, usd HeroLab

Pentests are one of the most effective security analysis methods to check the IT security level of a company and identify opportunities for sustainable improvements. In addition, proof of conducting a pentest is an important component of many compliance requirements, such as the PCI DSS. Some preparatory steps are necessary before the actual pentest can be conducted in order to guarantee that the analysis is optimally tailored to your company. In our series, we provide you with important information  to consider when preparing for your pentest.

What is the pentest scope?

The pentest scope defines the environment to be tested, including all systems and applications involved. Important criteria for defining your scope are the need for protection, possible risks of compromise and the time allocated for the pentest.

1. Criterion: Need for protection and risk assessment

The need for protection of an IT asset (system landscapes or applications) is determined based on protection objectives and the data that is processed, stored and/or forwarded.

Protection objectives are special requirements for an IT asset that must be fulfilled. The three most important protection objectives are:

  • Confidentiality: No information is disclosed to unauthorized persons.
  • Integrity: Neither the data nor the underlying systems can be changed by unauthorized users.
  • Availability: The IT asset and stored data can always be accessed and used as intended.

You should also examine the risks associated with a compromise or violation of the protection goals. Ideally, a company maintains an inventory list of its IT assets in which the assets are classified according to their protection goals. Using this list, the pentest scope can be determined more quickly.

2. Criterion: Attack scenarios, analysis approach and depth of testing

Possible attack scenarios should be based on protection needs and risk assessments. You should examine which type of attacker (e.g. person with access to the system) can reach or possibly compromise an IT asset in which manner. The protection requirements, the risk assessment and the selected attack scenarios result in a proper analysis approach that represents the motivation and means of an attacker.

The depth of testing determines the extent and intensity of the analysis of an IT asset. The appropriate depth of testing should always be selected depending on the defined protection requirements and the risk. Consequently, an asset with a very high protection requirement and a high risk should be tested more intensively than an asset with a low protection requirement and a low risk.

3. Criterion: Available timeframe

Since the testing scope can be defined relatively broadly, the time allocated for the analysis is an important criterion for determining the scope. If there is only a short time frame available for the analysis, the focus should always be on reviewing the IT assets with the greatest protection need. The scope is therefore always dependent on the time allocated. 

For very large system landscapes or a greater number of identically structured applications, “sampling” of the IT assets to be tested can be useful. In such a sampling process, identical IT assets that are likely to have similar vulnerabilities are identified. A relevant sample for the pentest can be chosen from the list of identical IT assets, which significantly reduces the time required.


Do you need assistance with the planning, implementation or post processing of your pentests? Businesses worldwide rely on usd HeroLab’s highly trained team to identify gateways for attackers and demonstrate ways to sustainably improve their IT security. We are happy to assist you with all your requirements.

Contact us, we will be happy to discuss your options.