White Paper
How to define the scope of a pentest?
We give you the keys to define your pentest strategy

Defining the scope of a pentest is a delicate step. What will be the target of the pentest? Which functional and technical aspects should be tested first? What depth and frequency of testing is recommended?
The objective of this white paper is to provide you with various information to help you define a pentest strategy that suits the challenges of your industry, your organisation and your systems and applications.
We have gathered all key elements from our discussions with around 200 client companies of all sizes and from all sectors of activity. Each element has to be analysed according to your business context. You will then be able to determine a scope for your future security audits.
Making choices upstream will allow you to be more effective during your exchanges with the partner in charge of the pentest. However, discussion remains essential, as it is by confronting your internal viewpoint with the external viewpoint of a specialised third party that you will reach the best choices in order to validate your security audit project.

How to define the scope?
In this white paper, we will see:
- What needs to be audited?
- Identifying the attack surface
- Defining your priorities
- Pentest strategy
- Testing non-priority targets
- How to audit the targets?
- Black Box, Grey Box, White Box: Which approach?
- How to estimate the time needed for a pentest?
- Exhaustivity and certification
- Recurring
Vaadata, a company specialized in offensive security
VAADATA is a French company dedicated to penetration testing and red teaming services.
Vaadata offers black box, grey box, and white box pentesting services on the following scope: web, mobile, IoT, internal networks and Active Directory, social engineering.
We work for more than 600 clients in Europe and North America. Among them: Credit Agricole Bank, Heineken, Esker, Dext, Malt, Friendsurance…
Vaadata is a CREST accredited for Pentest and ISO 27001/27701 certified company. Our technical team owns many technical certifications, such as OSCP, OSWE, BSCP, AWS Certified Security, CBBH, CAWASP, CRTP, CRTE, CRTM, RTO, CISSP.