Mental Model
"The difference between a penetration tester and a criminal is a signed contract." β Industry Axiom
Professional security assessment begins not with technical tools but with precise agreements. The engagement charter transforms potentially illegal activity into authorized security work. Every boundary you define protects both your client and yourself while ensuring your findings will be actionable and defensible.
Learning Outcomes
By the end of this week, you will be able to:
- LO1: Analyze client requirements to define appropriate assessment scope and boundaries
- LO2: Identify legal and ethical considerations that constrain security testing activities
- LO3: Draft professional engagement documentation that protects all parties
- LO4: Establish communication protocols and escalation procedures for security engagements
- LO5: Evaluate organizational context to tailor assessment approach appropriately
π Building on Prior Knowledge
Your capstone integrates technical and governance skills from prior courses:
- CSY203 (Web Security): Methodology and testing patterns for application findings.
- CSY204 (SOC/IR): Incident response perspective for containment and reporting.
- CSY301 (Threat Intelligence): Actor context and threat-driven prioritization.
- CSY302 (Cloud Security): Cloud posture and misconfiguration review.
- CSY303 (GRC): Risk framing, compliance mapping, and executive reporting.
- CSY104 Week 11 (CVSS): Severity scoring for findings and remediation plans.
Introduction: Your First Client Engagement
Welcome to your capstone engagement. You've been hired by SecureFirst Consulting, a boutique security firm, and assigned your first major client: NovaTech Solutions. Before you touch a single tool or run your first scan, you must establish the professional framework that makes everything else possible.
This week mirrors what every security consultant does at engagement kickoff: understanding the client, defining boundaries, and documenting agreements. Skip this phase, and you risk legal exposure, scope creep, unusable findings, or damaged client relationships. Get it right, and you set the foundation for a successful assessment.
The Scenario
You received this email from your manager at SecureFirst Consulting:
Good news β we've been selected for the NovaTech security assessment. They're a growing SaaS company preparing for SOC 2 Type II and need a comprehensive review before their audit window opens.
I'm assigning you as lead consultant. Your first task is to work with their CISO, Marcus Webb, to scope the engagement and draft our charter. The kickoff call is scheduled for next week.
I've attached the client brief from our sales team. Review it thoroughly before the call. Remember: good scoping prevents 90% of engagement problems.
Let me know if you have questions.
β Sarah
1. Understanding Your Client: The NovaTech Brief
Effective scoping requires deep understanding of the client's business context. Security doesn't exist in a vacuumβit serves business objectives. Before defining technical scope, you must understand what NovaTech does, why they need this assessment, and what constraints shape their environment.
NovaTech Solutions β Client Brief
Company Overview
NovaTech Solutions provides enterprise workflow automation through their flagship product, WorkflowPro. Founded in 2018, they've grown from a startup to approximately 500 employees across three locations: headquarters in Austin, TX; engineering office in Portland, OR; and sales office in New York, NY.
Following a $45M Series C funding round, NovaTech is pursuing enterprise customers who require SOC 2 Type II attestation. Their board has mandated an independent security assessment before the SOC 2 audit window begins in Q3.
Organizational Structure
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CEO: David Park β
ββββββββββββββββ¬βββββββββββββββ¬βββββββββββββββ¬ββββββββββββββββ€
β CTO β CFO β COO β CISO β
β Elena Torres β James Wright β Maria Santos β Marcus Webb β
ββββββββββββββββΌβββββββββββββββΌβββββββββββββββΌββββββββββββββββ€
β Engineering β Finance β Operations β Security β
β (~120 staff) β (~25 staff) β (~200 staff) β (~8 staff) β
ββββββββββββββββ΄βββββββββββββββ΄βββββββββββββββ΄ββββββββββββββββ€
β Other: Sales (~80), Marketing (~40), HR/Admin (~27) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Key Stakeholder: Marcus Webb (CISO) is your primary point of contact. He reports directly to the CEO and has authority to approve assessment scope. Elena Torres (CTO) owns engineering systems and must approve any testing that could impact production.
Technical Environment Summary
Cloud Infrastructure (Primary):
- AWS (us-east-1, us-west-2) β Production and DR environments
- ~150 EC2 instances, RDS PostgreSQL, S3, Lambda functions
- EKS clusters for containerized microservices
- CloudFront CDN for static assets
On-Premises (Legacy):
- Austin HQ datacenter β file servers, Active Directory, legacy ERP
- ~40 physical/virtual servers running Windows Server and RHEL
- VPN connectivity between offices and cloud
SaaS Applications:
- Google Workspace (email, collaboration)
- Salesforce (CRM)
- Workday (HR/payroll)
- GitHub Enterprise (source code)
- Jira/Confluence (project management)
- Slack (internal communication)
WorkflowPro Platform:
- Multi-tenant SaaS application
- React frontend, Node.js/Python backend
- REST and GraphQL APIs
- ~2,500 enterprise customers
- Processes approximately 50M workflow executions/month
Compliance Context
- Current: SOC 2 Type I (obtained 8 months ago)
- Target: SOC 2 Type II (audit window Q3)
- Regulatory: GDPR (EU customers), CCPA (California customers)
- Contractual: Several enterprise prospects require annual penetration testing
Known Concerns (from Sales Discovery)
- Rapid growth has outpaced security team capacity
- Legacy on-prem systems not fully integrated with cloud security controls
- Recent employee turnover in IT operations
- No formal vulnerability management program currently
- Limited security logging and monitoring capabilities
Engagement Drivers
- Board mandate following Series C investment
- Enterprise sales pipeline blocked by security requirements
- Desire to identify and remediate issues before SOC 2 Type II audit
- CISO seeking independent validation to support budget requests
Think About It
Before reading further, consider: What aspects of this client brief would most influence your scoping decisions? What questions would you want answered before defining assessment boundaries?
2. The Purpose of Engagement Scoping
Engagement scoping isn't administrative overheadβit's risk management for both parties. A well-defined scope accomplishes several critical objectives:
Legal Protection
Security testing involves activities that, without authorization, would violate computer crime laws. The engagement charter provides documented authorization that transforms potentially criminal activity into legitimate professional service.
Expectation Alignment
Clients often have unclear or unrealistic expectations about what security assessment entails. Scoping creates shared understanding of what will (and won't) be tested, what deliverables to expect, and what success looks like.
Resource Planning
Scope determines effort. A web application assessment takes different skills and time than a network penetration test or cloud configuration review. Clear scope enables accurate resourcing and scheduling.
Finding Relevance
Findings must be actionable within the client's context. Understanding their compliance requirements, risk tolerance, and business priorities ensures your report addresses what actually matters to them.
Scope Dimensions
Security assessment scope is multidimensional. You must define boundaries across several axes:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SCOPE DIMENSIONS β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β TECHNICAL SCOPE METHODOLOGICAL SCOPE β
β βββββββββββββββββ ββββββββββββββββββββ β
β β’ Which systems? β’ Black box / Gray box / White box? β
β β’ Which networks? β’ Automated scanning allowed? β
β β’ Which applications? β’ Manual exploitation allowed? β
β β’ Which cloud accounts? β’ Social engineering in scope? β
β β’ IP ranges / domains β’ Physical testing in scope? β
β β
β TEMPORAL SCOPE CONSTRAINT SCOPE β
β ββββββββββββββ ββββββββββββββββ β
β β’ Start and end dates β’ Testing windows (business hours?) β
β β’ Testing windows β’ Rate limiting requirements β
β β’ Milestone deadlines β’ Systems to avoid β
β β’ Report due dates β’ Actions requiring pre-approval β
β β
β AUTHORIZATION SCOPE DELIVERABLE SCOPE β
β ββββββββββββββββββ βββββββββββββββββ β
β β’ Who can authorize? β’ Report format and depth β
β β’ Escalation paths β’ Executive summary required? β
β β’ Emergency contacts β’ Remediation guidance level β
β β’ Notification triggers β’ Presentation/debrief included? β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Testing Methodology Spectrum
One critical scoping decision is where on the knowledge spectrum your assessment will operate:
| Approach | Tester Knowledge | Simulates | Advantages | Limitations |
|---|---|---|---|---|
| Black Box | No internal knowledge; external perspective only | External attacker with no insider access | Realistic external threat simulation; tests detection capabilities | Time-consuming; may miss internal vulnerabilities; limited depth |
| Gray Box | Partial knowledge; credentials, architecture docs, some access | Attacker with some insider information or compromised credentials | Balanced depth and realism; efficient use of time; tests privilege escalation | Requires client preparation; may not test initial access vectors |
| White Box | Full knowledge; source code, full documentation, admin access | Insider threat or comprehensive security review | Maximum coverage; identifies architectural issues; efficient | Less realistic attack simulation; requires significant client involvement |
For NovaTech's engagement, consider which approach best serves their objectives. They want to identify issues before SOC 2 auditβdoes that favor depth (white box) or realism (black box)? Their CISO wants to validate security postureβdoes that require testing detection capabilities?
3. Legal and Ethical Framework
Security testing operates within a complex legal landscape. Understanding these constraints isn't optionalβignorance doesn't provide legal protection, and violations can result in criminal charges, civil liability, and career-ending consequences.