Phase 1: Planning & Authorization
The Planning & Authorization phase is the foundation of every ethical hacking or penetration testing engagement. Before any technical testing begins, the security team and the organization must agree on what will be tested, how testing will be conducted, and what limitations apply. This phase ensures that all activities are legally authorized, ethically performed, and aligned with the client's objectives. Proper planning minimizes operational risks, prevents misunderstandings, and establishes a clear framework for the entire assessment.
Objectives
1. Obtain Written Authorization
Ethical hacking must always be performed with explicit permission from the asset owner. A written authorization—such as a signed contract, authorization letter, or Statement of Work (SoW)—provides legal permission to perform security testing. This document protects both the organization and the ethical hacker by clearly stating that the assessment is approved.
The authorization should specify:
- The organization granting permission.
- The names of authorized testers.
- The duration of the engagement.
- The systems or applications covered.
- Any legal or compliance requirements.
Without written authorization, security testing may be considered unauthorized access and could violate laws or contractual obligations.
2. Define the Scope
The scope identifies exactly what is included and excluded from the assessment. A clearly defined scope prevents accidental testing of systems that are not authorized and helps ensure that testing efforts are focused on the organization's priorities.
The scope typically includes:
- Domains and subdomains.
- IP address ranges.
- Web applications.
- APIs.
- Mobile applications.
- Cloud environments.
- Internal networks.
- Wireless networks.
It should also identify any out-of-scope assets, such as third-party services or production systems that must not be tested.
A well-defined scope reduces risk and improves testing efficiency.
3. Understand Testing Limitations
Every penetration test has operational, technical, or contractual limitations. Understanding these limitations ensures that testing does not negatively affect business operations.
Common testing limitations include:
- No Denial-of-Service (DoS) testing.
- No phishing or social engineering.
- No physical security assessments.
- No password spraying against production accounts.
- Restricted testing hours.
- Rate limits on automated scanning.
- Sensitive systems requiring prior approval.
Documenting these restrictions ensures that all testing remains safe, controlled, and compliant with the engagement rules.
4. Identify Critical Assets
Not all systems have the same level of importance. During planning, the organization identifies high-value assets that require special attention during the assessment.
Examples of critical assets include:
- Authentication systems.
- Customer portals.
- Payment processing applications.
- Administrative dashboards.
- Databases containing sensitive information.
- APIs handling financial or personal data.
- Cloud management consoles.
- Identity and access management systems.
Understanding which assets are most critical allows the testing team to prioritize their efforts and assess the areas that pose the greatest business risk.
5. Establish Communication Channels
Effective communication is essential throughout the engagement. Both the organization and the testing team should know who to contact before, during, and after the assessment.
Communication planning should include:
- Primary technical contact.
- Security operations contact.
- Incident response contact.
- Project manager.
- Escalation procedures.
- Preferred communication methods (email, phone, secure messaging).
- Reporting frequency and status updates.
Clear communication helps resolve issues quickly and ensures that unexpected events are handled appropriately.
Deliverables
At the end of the Planning & Authorization phase, several key documents should be prepared.
1. Rules of Engagement (RoE)
The Rules of Engagement (RoE) define how the penetration test will be conducted. This document establishes the boundaries, permitted activities, prohibited actions, testing windows, communication procedures, and escalation processes. It ensures that both the client and the ethical hackers have a shared understanding of the engagement and helps prevent disruptions to business operations.
Typical contents include:
- Authorized testing methods.
- Prohibited activities.
- Testing schedule.
- Scope boundaries.
- Communication procedures.
- Incident reporting process.
- Safety precautions.
- Legal requirements.
2. Scope Document
The Scope Document provides a detailed inventory of all systems, applications, domains, APIs, and networks included in the assessment. It also identifies any excluded assets and special considerations.
Typical contents include:
- In-scope assets.
- Out-of-scope assets.
- IP ranges.
- Domain names.
- Cloud resources.
- Application URLs.
- Mobile applications.
- Testing objectives.
3. Testing Schedule
The Testing Schedule defines when the assessment will take place. It helps minimize disruption by coordinating testing during approved maintenance windows or low-traffic periods.
A typical schedule includes:
- Engagement start date.
- Engagement end date.
- Daily testing hours.
- Planned maintenance windows.
- Milestone reviews.
- Final reporting deadline.
4. Emergency Contacts
Emergency Contacts ensure that any critical issues discovered during testing can be reported immediately to the appropriate personnel.
The contact list generally includes:
- Client security team.
- System administrators.
- Incident response team.
- Project manager.
- Executive sponsor.
- Penetration testing team lead.
Having an up-to-date emergency contact list enables rapid coordination if testing reveals a critical vulnerability or unintentionally affects system availability.