Penetration Testing Scope

How do you determine the scope of a penetration test?

Guidance on best practice scoping and the key pitfalls to avoid

The objectives of penetration testing are to provide a level of assurance to match the risk profile (including any compliance requirements) for your organisation, whilst also providing a good ROI. How well your chosen penetration testing provider scopes your penetration test will determine the success of this balance. In this blog article, we describe 3 common variables affecting the scope and cost penetration testing services and the key pitfalls to avoid.

Scoping takes place during the (generally free) initial project scoping phase of a penetration testing engagement. During this phase, a penetration testing expert will ask questions to understand your organisation’s aims and objectives (e.g. achieving compliance) and research the attack surface to be tested to develop a customised test plan and quote. There is no universal price or timeframe for a penetration test, in fact, if you are presented with either it should serve as a red flag not to proceed with that provider.

Generally, scoping errors can go one of two ways, both of which are bad news for clients.

Underquoting: If the provider underquotes, they will be under pressure to make up time and may cut corners – or, perhaps, their pricing model relies heavily on automated scanning tools, resulting in a poorer quality service.

Overquoting: Inexperienced providers may overquote to incorporate scoping errors and the cost of testing tools or the provider’s standard rates may be aimed at large clients with complex testing needs, resulting in inflated costs.

What can affect the scope (and cost) of a penetration test?

The following common variables will affect the scope and cost of penetration testing services:

  1. Pricing methodology: Target count vs measuring the attack surface
  2. Size and complexity of the project
  3. Size and specialisation of the penetration testing provider


1. Pricing methodology: Target count vs measuring the attack surface

The most accurate methodology, offering the best Return on Investment (ROI) for clients, is to measure the attack surface – the sum of potential attack vectors (any parameter that can be attacked) in the environment/app to be tested. This approach ensures that sufficient time is allocated to focus on each attack vector and will deliver comprehensive results for the best value.

A target-count pricing methodology (price per IP address or price per page/click) can only provide a rough order of magnitude and shouldn’t be relied upon in isolation or it will likely result in a poorer ROI; with clients potentially overpaying on targets with no/a low attack surface and/or penetration testing providers relying heavily on automated vulnerability scanning on occasions where they find they have underquoted.

2. Size and complexity of the project

The size and complexity of the attack surface is calculated and translated into number of hours/days/weeks of work. The larger and more complex a project, the higher the cost. This takes into consideration any special requirements, e.g. testing outside of normal working hours, onsite, in a production environment and on third party infrastructure, e.g. cloud services. The approach and tools used will also impact the scope and cost. For example, a black box test would likely have a longer reconnaissance phase than a white box test and would be likely to cost more.

An experienced penetration test provider can help their client to develop a risk assessment to identify and focus on defending critical assets.

If the initial scope of a project appears too large and costly, an experienced penetration test provider can help their client to develop a risk assessment to identify and focus on defending critical assets. For example, for PCI DSS compliance – reducing the number of systems connected to, or within the same network segment as, the cardholder data environment will descope a large environment from compliance requirements and keep risk and the cost of achieving and maintaining compliance down.

3. Size and specialisation of the penetration testing provider

Clients may aim to ensure the quality of their penetration testing services by engaging large cybersecurity consultancies or their regular large IT outsourced partner, who has a penetration testing offering. This can be problematic. Large consultancies tend to predominantly work with enterprise clients on complex projects attracting higher daily rates. If your organisation does not meet this profile – e.g. a SME with straightforward testing requirements – it may be more cost effective to source a provider who also services smaller organisations; or it could be akin to hiring a barrister to challenge a parking fine. It is also best practice to engage a provider who is independent from your day-to-day IT operations who can look at your organisation’s IT environment from an outsider’s perspective.

At the other end of the scale, a markedly low quoted price may be indicative of a lack of industry accreditation and/or poor project scoping. The industry has defined minimum standards for providers who have the capability and skills to conduct penetration testing activities. The key requirement for assessing a providers’ capability is the CREST designation. If the provider is not a CREST accredited penetration testing firm, they have not demonstrated the knowledge, skills and understanding to be trusted with your testing activities.

A CREST certified provider that specialises in, and conducts numerous, penetration tests will have the most accurate scoping capabilities to provide you with the best balance of quality service at a competitive price. They will offer you a broad range of penetration testing services and have the latest tools and techniques, plus the ability to author their own custom tools – to give you the best value. They will have numerous multi-certified, experienced penetration testing consultants with preapproved security clearance and will have a process to deliver your penetration testing project as efficiently and cost effectively as possible. And this accumulated knowledge and experience will also provide you with a detailed penetration testing report with valuable insights into remediation actions.

It’s worth taking the time to research and select a proven, reputable penetration testing provider and then to commit to conducting regular testing. This will not only provide the best level of security for your organisation but also deliver the best ROI.

We hope you’ve found this blog article useful. For more information about penetration testing, download A Guide for First-time Penetration Testing Buyers here >>  In this free guide we answer the questions commonly asked by first-time penetration testing buyers and provide guidance to help you achieve a successful penetration testing experience.

Penetration Testing Complete Guide

Questions & More Information 

Do you have a question about penetration testing? Contact Us today to speak to one of Shearwater’s certified Ethical Hackers. They have extensive experience in providing penetration testing services and assisting clients to achieve and maintain accreditation.