Subscribe to the CyberThreatPOV Podcast

Episode 49: Scoping Offensive Security Engagements

In this episode, Brad and Spencer discuss the nuances around scoping offensive security engagements. Scoping an offensive security engagement involves defining boundaries, objectives, and limitations before starting. It includes objectives, rules, scope boundaries, legal considerations, timeframe, reporting, approval, and sign-off. Scoping is important for clarity, risk management, compliance, stakeholder involvement, and setting expectations.

Introduction to Scoping Offensive Security Engagements

Section Overview: In this section, the hosts introduce the topic of scoping offensive security engagements and highlight its importance in determining what can be tested, when it can be tested, and how it can be tested.

What is Scoping?

  • Scoping involves defining the parameters of an offensive security engagement.
  • It includes determining what will be tested, the testing methods, and the allowed resources.
  • Scoping also involves setting objectives, boundaries, limitations, risk tolerance, compliance requirements, and reporting.

Importance of User Education

  • Scoping is not only about technical aspects but also serves as a user education process.
  • There may be a disparity in knowledge between those involved in scoping.
  • It is essential to educate users on the process and manage their expectations.

Outcomes of Scoping

  • The end result of scoping determines the cost and duration of an engagement.
  • Testing everything necessary while being mindful of budgets and resources is crucial.

Metrics for Scoping

  • Traditional metrics for scoping include the number of systems or IP addresses to test.
  • However, with cloud services and multiple domains associated with email accounts, these metrics are becoming less relevant.

04:21 Specific Metrics for Scoping Offensive Security Engagements

Section Overview: This section discusses specific metrics used in scoping offensive security engagements and highlights how traditional metrics may no longer accurately represent the scale of testing required.

Evolving Metrics for Scoping

  • Traditional metrics like number of systems or IP addresses are becoming less relevant due to cloud services and multiple domains associated with email accounts.For example, having an M365 email account automatically generates five domains that need to be considered for testing.
  • Perception of scale can still be useful but needs to be supplemented with other metrics.

Cloud services play a significant role in scoping external engagements, considering the various platforms and applications used by organizations.

Importance of Comprehensive Scoping

  • It is crucial to ensure that scoping captures all necessary testing areas and factors in the cost and duration of the engagement.

05:18 Conclusion

Section Overview: The hosts conclude the discussion on scoping offensive security engagements, emphasizing the importance of adapting metrics to reflect evolving technologies and ensuring comprehensive scoping for effective testing.

Key Takeaways

  • Scoping involves defining parameters, objectives, boundaries, limitations, risk tolerance, compliance requirements, and reporting for offensive security engagements.
  • User education is an essential aspect of scoping to manage expectations and bridge knowledge gaps.
  • Traditional metrics like number of systems or IP addresses may no longer accurately represent the scale of testing required due to cloud services and multiple domains associated with email accounts.
  • Comprehensive scoping ensures all necessary areas are tested while considering budgetary constraints.

06:00 External Attack Surface and Testing Third Parties

Section Overview: The speaker discusses the challenges of testing external attack surfaces and third-party systems in penetration testing.

External Attack Surface

  • Organizations need to identify what can be accessed by unauthenticated individuals from the internet.
  • Testing third-party systems is unique in the external penetration testing space.
  • While not attempting to hack into Salesforce, penetration testers examine Salesforce authentication configuration, SSO handling, and MFA enablement.

Identifying Cloud Resources

  • Many organizations struggle to identify all the cloud resources they use.
  • Shadow IT complicates this process as users can sign up for services like Zoom using their Microsoft accounts.
  • Checking app registrations in Microsoft 365’s “entra ID” (formerly Azure ID) can help discover third-party applications used by users.

Difficulty for Smaller Organizations

  • Smaller organizations without a dedicated person managing cloud resources find it challenging to gather information about their systems.
  • Lack of awareness about what is being used makes scoping difficult.

08:35 Scoping Considerations for Internal Penetration Tests

Section Overview: The speaker highlights important factors to consider when scoping internal penetration tests, including domain and forest configurations and on-premises Active Directory environments.

On-Premises Infrastructure

  • Scoping internal pen tests requires understanding the organization’s infrastructure.
  • Cloud-based organizations with no on-premises Active Directory environment present different challenges for internal pen tests.
  • Understanding the infrastructure helps determine the scope of testing required.

Blurring Lines Between Internal and External Tests

  • The distinction between internal and external tests is becoming blurred due to increasing reliance on cloud services.
  • A case study involving five separate domains with no connection between them demonstrates this challenge.
  • Separate physical locations impact scoping discussions and may require additional time for testing.

09:49 Challenges of Implementing Zero Trust Model

Section Overview: The speaker discusses the challenges of implementing a zero trust model and how it affects penetration testing.

Zero Trust Model Implementation

  • Organizations are moving towards a zero trust model, but often only implement certain components without the entire model.
  • Partial implementation can eliminate controls around the perimeter, creating vulnerabilities.
  • Balancing the desire for clear scoping with the evolving nature of pen tests is challenging.

10:43 Considerations for Multiple Locations in Internal Penetration Tests

Section Overview: The speaker highlights considerations when conducting internal penetration tests across multiple physical locations.

Multiple Physical Locations

  • Testing multiple physical locations presents unique challenges.
  • Separate domains and no connection between locations require separate pen tests for each location.
  • Scoping discussions need to account for these factors and may take longer than expected.


Section Overview: In this section, the speaker discusses the impact of the pandemic on traditional models of Hub and spoke Networks, as well as the importance of compliance requirements and segmentation in internal pen tests.

Impact of the Pandemic on Hub and Spoke Networks

  • The pandemic has had a significant impact on traditional models of Hub and spoke Networks.
  • This change is expected to continue in the future.
  • The speaker believes that this shift is not going away anytime soon.

Compliance Requirements and Segmentation in Internal Pen Tests

  • Organizations that need to comply with PCI requirements may require segmentation testing or validation of distinct environments.
  • Internal pen tests may involve discussions around segmentation.
  • Understanding client goals is crucial for scoping internal pen tests.
  • Goals can vary from finding vulnerabilities to focusing on specific areas or targets.
  • Scoping arrangements should consider client goals and expectations.


Section Overview: In this section, the speaker emphasizes the importance of understanding client goals when performing or receiving penetration tests. They also discuss how different types of penetration tests may have varying levels of goal specificity.

Importance of Client Goals in Penetration Testing

  • Understanding client goals is essential regardless of one’s role in the process.
  • Different clients may have a wide range of goals for penetration testing engagements.
  • For external and web app pen tests, goals are usually straightforward (e.g., identifying issues).
  • However, it’s important to clarify expectations to avoid misunderstandings (e.g., unrelated requests like testing building locks).

Meeting Client Expectations

  • It’s crucial to meet client expectations and exceed them during engagement delivery, reporting, and debriefing.
  • Each engagement should provide value aligned with client goals.
  • Some clients may prioritize compliance checkboxes while others seek comprehensive testing.


Section Overview: In this section, the speaker highlights the importance of being service-oriented and meeting client expectations in penetration testing. They also discuss how personal biases and competition can sometimes overshadow the ultimate goal of client satisfaction.

Being Service-Oriented in Penetration Testing

  • The primary goal of a service-oriented organization is to provide value and meet client expectations.
  • It’s important to remember this even when getting caught up in the technical aspects of pen testing.
  • Personal biases and a competitive mindset should not overshadow client satisfaction.


Section Overview: In this section, the speaker discusses the unique challenges associated with scoping mobile penetration tests. They mention issues related to app ownership, coding standards, and obtaining necessary files for testing.

Challenges in Scoping Mobile Penetration Tests

  • Mobile penetration tests present unique challenges due to app ownership complexities.
  • The person who branded the app may not be its original developer.
  • Many organizations overseas produce mobile apps quickly but may not follow good coding standards.
  • Obtaining the mobile binary file (IPA or APK) is crucial for effective mobile pen testing.


Section Overview: In this section, the speaker discusses the importance of scoping and communication in penetration testing engagements. They highlight the need for clear contract language regarding app vendors providing copies of binaries and fixing issues. The speaker also emphasizes the significance of scoping third-party dependencies and understanding the limitations of different types of tests.

Scoping Mobile App Pin Tests

  • It is crucial to have clear contract language with app vendors regarding providing copies of binaries and fixing issues.
  • Without proper contract language, clients may need to get another contract and pay again to fix security issues identified during pin testing.
  • Lesson learned: Include provisions in contracts that developers will fix issues and be responsive to penetration test process needs.

Third-Party Dependencies

  • Third-party dependencies are common in software development.
  • The extent to which these dependencies are scoped depends on how far up or down the chain they are.
  • Clear communication is necessary to define what is included in testing and what remains untested.

API Testing vs Mobile App Testing

  • Mobile apps often have an API behind them.
  • In a mobile pin test, the focus is on enumerating details about the API without touching it extensively.
  • For an API pin test, a different skill set is required as APIs can have multiple endpoints.

Understanding Scope Changes

  • Scope changes can occur during engagements, even quickly.
  • Regular communication with clients throughout the engagement helps address scope changes effectively.
  • Dialogues with clients about scope changes help determine if additional time or resources are needed for testing.

Importance of Thorough Scoping

  • Time-limited engagements require thorough scoping to ensure a complete penetration test within the given timeframe.
  • Poor scoping or inadequate information from the client may result in finding more issues than can be addressed within the allocated time.
  • Thorough scoping and effective communication with clients are essential for successful penetration testing engagements.

Communication with Clients

  • Daily communication with clients during penetration testing engagements is critical.
  • Regular emails, phone calls, or other forms of communication help maintain close contact and address any scope changes promptly.
  • Clients should insist on regular communication throughout the entire process to ensure a successful engagement.

Note: The transcript provided does not specify the language used. Therefore, the summary has been written in English.

22:20 Importance of Scoping in Penetration Testing

Section Overview: The importance of scoping in penetration testing is discussed, emphasizing the need for clear expectations and thorough testing.

Scoping and Expectations

  • When engaging a pen tester, it is crucial to provide all relevant information and expectations.
  • Testers may assume they are expected to test everything possible.
  • Overlooking or not finding one thing can be the way an attacker gains access.
  • Clear scoping helps set expectations and avoid misunderstandings.

Backstopping Failure

  • Pen testers try to backstop potential failures by conducting DNS enumeration and Open Source intelligence research.
  • However, if company domains are common (e.g., ABC), it becomes challenging to attribute resources found during testing.
  • Clients should be open and forthcoming with information so that testers can identify all areas that need examination.

24:04 Understanding Purple Teaming

Section Overview: The concept of purple teaming is explained, highlighting its cooperative nature between red and blue teams.

Purple Teaming Engagement

  • Purple teaming involves an interactive cooperative engagement between red and blue teams.
  • Techniques are tested collaboratively, with the goal of detecting them effectively.
  • Proper scoping is essential in determining which techniques will be tested and the parameters for success.

Metrics for Success

  • Scoping a purple team engagement includes considering metrics such as logging alerts, severity levels, and response times.
  • Without proper scoping, engagements may lack direction or value for both clients and testers/analysts.

26:32 Tailoring Purple Team Engagements

Section Overview: Tailoring purple team engagements based on client needs and understanding their environment is crucial for success.

Meeting Client Requirements

  • To ensure successful purple team engagements, it is important to have detailed conversations with clients.
  • Assumed breach internal pen tests and purple team engagements require discussions with IT personnel for proper setup.
  • Understanding telemetry sources and industry-specific considerations are vital for effective scoping.

Importance of Scoping

  • Scoping discussions tie into the success of purple team engagements.
  • Going into an engagement without a plan or understanding can lead to ineffective testing and limited value for clients.
  • Tailoring techniques and approaches based on scoping ensures meaningful results.

Work with Us: