Scope is probably the most important issue when planning a penetration test. The test may vary greatly depending on whether the client wants all of their systems covered or only a portion of them. It is important to get a feel for the types of systems within scope to properly price out the effort. The following is a list of good questions to ask the client (particularly in a white box testing scenario):
• What is the number of network devices that are in scope?
• What types of network devices are in scope?
• What are the known operating systems that are in scope?
• What are the known websites that are in scope?
• What is the length of the evaluation?
• What locations are in scope?