Cyber Doc logo Cyber Doc
Cybersecurity Term

What is scope in penetration testing?

The agreed boundaries of a security test, including what is included and excluded.

Penetration Testing Last reviewed: 2026-05-20

← Back to Learn Centre

What is scope in penetration testing?

Scope defines what systems, accounts, networks, dates, and techniques are included or excluded from a penetration test.

Simple example

A client authorises testing of one public website but excludes payment systems and third-party platforms.

Why it matters

Clear scope protects both the client and tester and helps keep testing safe and useful.

Common warning signs

  • The activity is unexpected or unusual for the business context.
  • The request or system behaviour creates pressure to act quickly.
  • Normal approval, verification, or security processes are bypassed.
  • There are signs of unauthorised access, data exposure, or system change.
  • Staff are unsure whether the request, message, or system behaviour is legitimate.

Cyber Doc view

This term should be understood in business context, not only as a technical issue. Good protection usually combines clear processes, appropriate technical controls, staff awareness, and a calm response plan.

What to do

Proactive steps

  • Define targets, dates, and exclusions in writing.
  • Confirm ownership and authorisation.
  • Agree testing windows and contact points.
  • Identify sensitive systems before testing.
  • Record rules of engagement.

Reactive steps

  • Pause testing if activity may be outside scope.
  • Confirm authorisation before continuing.
  • Document what happened and who approved decisions.
  • Update scope if business needs change.
  • Preserve communication records.

Related terms

  • Rules of engagement
  • Penetration testing
  • Authorisation