Defining the scope of a penetration test is a delicate step. What will be the target of the pentest? More precisely, which functional and technical aspects should be tested in priority? Moreover, how deep and how often should a pentest be recommended?

The aim of this white paper is to provide you different information in order to define a pentest strategy. We have gathered all key elements from our discussions with around 200 client companies of all sizes and from all sectors of activity. Each element has to be analysed according to your business context. You will then be able to determine a scope for your future security audits.

In this white paper, we will see:

  • What needs to be audited?
    • Identifying the attack surface
    • Defining your priorities
    • Pentest strategy
    • Testing non-priority targets
  • How to audit the targets?
    • Black Box, Grey Box, White Box: Which approach?
    • How to estimate the time needed for a pentest?
    • Exhaustivity and certification
    • Recurring

Making choices upstream will allow you to be more effective during your exchanges with the partner in charge of the pentest. However, discussion remains essential, as it is by confronting your internal viewpoint with the external viewpoint of a specialised third party that you will reach the best choices in order to validate your security audit project.