Penetration Test Scoping Checklist

Engage a leader in penetration testing to ensure your business is protected against security threats.

Use this secure form to request a penetration testing estimate from our team.

Learn More
Dots Women performing penetration testing

Our aim is to identify weaknesses in your security system – before hackers do. Taking advantage of security issues is a known way for hackers to attempt to access your systems. Vectra will find these weaknesses to ensure hackers don’t have access to your data.

The following checklist is intended to gather the information required to scope a Penetration Test of infrastructure and/or applications.

Security Notice: This data is securely stored on an internal web server, which is protected by a secure firewall, and monitored by our SOC. It is only accessible by approved Vectra staff members.

Penetration Testing Quote


Is PCI DSS the driver for this Penetration Test? (Specific testing is required for PCI DSS compliance)


A Vulnerability Assessment involves the identification of potential vulnerabilities in systems and applications using both automated tools and manual testing. A Penetration Test starts with a Vulnerability Assessment but also includes validation of vulnerabilities by attempting to exploit them with further manual testing. Penetration Testing provides a more thorough test of systems and applications. (For PCI DSS compliance – Annual Internal and External Penetration Testing is required as well as quarterly Internal Vulnerability Scanning and quarterly ASV (external) scanning.)
Is testing to be performed against infrastructure, applications or both? Both will provide the highest level of security validation. (For PCI DSS compliance – Both are required)
Is testing to be performed against external systems which are internet accessible or internal ­systems and applications on your internal network (accessed via a VPN or on-site) (For PCI DSS compliance – Both are required)
Validation of the effectiveness of internal network segmentation on internal firewall(s), where the internal network has multiple segments. (For PCI DSS compliance – This is required if segmentation in place to reduce PCI scope.)
A Black Box test is performed with no information regarding the environment provided, other than URLs and IP ranges. For White Box testing, details of the environment such as Network diagram, OS types, applications and logon details are provided. (For PCI DSS compliance – White Box is required.) (For PCI DSS compliance – This is required if segmentation in place to reduce PCI scope.)
Are Social Engineering tests required? Social engineering is attempting to exploit people to gain access to systems and applications. (Not required for PCI DSS)
Are Denial of Service tests required? Generally 'No' as DOS testing can impact systems, website performance and availability

Client Requirements

Do you have any constraints for start and/or completion dates?
Do you have a requirement that testing be performed outside normal working hours? Vulnerability Assessment and Penetration testing will not normally impact website performance or availability.
Is there to be an allowance made for re­testing of the system after remediation? (Generally "Yes" for PCI DSS)


If Internal testing is required, will access be provided via a VPN or is testing to be performed on­site?
What range of IP addresses are required to be tested?
How many hosts or devices are to be tested? (For PCI DSS compliance - all elements of the CDE to be covered so count all internet facing elements and all network security zones in the CDE. Count separately by external addresses and internal devices and network zones.)

Applications in Scope

Please list below the applications that are in scope for testing. For PCI DSS compliance, all applications that store, transmit or process cardholder data are in scope. Applications that access systems or databases storing cardholder data should also be tested. See the glossary below the applications forms for details of the different form areas.