Security Guides
In this guide

Note

Reviewed by security engineers, updated regularly, not legal advice.

Security Guide

Questions to ask before a pentest

A good pentest does not start with tools, but with clear questions. Clear scope, goals, and expectations save time, prevent misunderstandings, and lead to reliable results.

From practice: most delays come from unclear test windows, missing access, and mixed expectations around reporting and re-tests.

Summary

Scope

Which systems, access paths, and boundaries apply?

Method

How will testing, documentation, and prioritization be handled?

Framework

Rights, RoE, test windows, and points of contact.

When is a pentest needed?

  • before go-live, audits, or certification
  • after major architecture changes
  • with external access and sensitive data
  • when risks are no longer assessable

Signals & risks

  • Unclear attack surface:

    no one can say what is reachable from the outside.

  • Rapid growth: new systems, roles, and dependencies.

  • Incidents: recurring alerts or real incidents.

  • Regulatory: customer or audit requirements demand evidence.

Preparation: the key questions

Scope & goals
  • Which systems and assets are in scope?
  • Which access paths (external, internal, VPN, cloud)?
  • Which goals are critical (data, processes)?
  • Which areas are explicitly excluded?
Method & deliverables
  • Which method is used (OWASP, PTES, ASVS)?
  • Are PoCs and reproduction steps documented?
  • Is there an executive summary and prioritization?
  • Is a re-test planned?
Rights & RoE
  • Which test windows apply (prod vs staging)?
  • What are the stop criteria?
  • Are NDA/DPA required?
  • Who approves critical tests?
Organization
  • Are test accounts or staging access available?
  • Who is the technical point of contact?
  • How does debrief/reporting work?
  • How are findings prioritized internally?
Roles to involve early

Security, engineering/operations, product, legal/privacy, and optionally compliance. This reduces back-and-forth on access, RoE, and data flows.

Decisions to make beforehand

  • Depth vs breadth: a few systems deep, or many systems shallow?

  • Technical focus: web, network, cloud, or combined?

  • Remediation: who will fix findings, and within what timeframe?

Scope note

This checklist helps you prepare for a pentest. It does not replace legal advice, red teaming, or a compliance assessment.

Next step

Briefly describe your scope. We help with scoping and selecting the right providers. Note: we advise on preparation and selection, but do not run tests.

Get in touch