Penetration Test Scope & Rules of Engagement

Define the targets, constraints and authorisation for a penetration test engagement. Your responses are stored in this browser only — nothing is sent to a server.

1. Engagement details

Capture the metadata that will appear on the front page of your scoping document.

A short, descriptive title for this assessment

Internal reference, PO number, or ticket ID

Name and job title of the person authorising the test

Per Government Security Classifications Policy 2023 (if applicable)

2. Scope definition

List every target that is in scope or explicitly out of scope for this engagement. Include IP addresses, IP ranges (CIDR), hostnames, URLs, applications, and any other assets.

In-scope targets

Add every asset that may be tested. Be as specific as possible — include individual hosts rather than broad subnets unless the whole range is confirmed in scope.

Target (IP / CIDR / hostname / URL) Asset type Notes / description

Out-of-scope targets

Explicitly list any systems that must not be tested — shared infrastructure, third-party services, production databases in live environments, etc.

Target (IP / CIDR / hostname / URL) Asset type Reason for exclusion

Any ambiguities, shared infrastructure caveats, cloud accounts in scope, etc.

3. Rules of engagement

Define the constraints and operational parameters that govern testing activity.

Include timezone. e.g. "Monday–Friday, 09:00–17:00 BST only" or "24/7"

Permitted testing techniques

Select all that are explicitly permitted for this engagement

e.g. "Do not test the payments API", "No destructive payloads", "Do not exfiltrate real PII"

Emergency & escalation contacts

Name, phone number, and email. Available 24/7 if an incident occurs during testing.

Testing team contact available during the engagement

How will screenshots, logs, and credentials captured during testing be stored and destroyed?

Provide static IPs or ranges the client should whitelist on firewalls / WAFs

Under what circumstances should testing pause immediately and who should be notified?

4. Review & export

Scoping document ready

Review the document preview below, then download in your preferred format.

Word document (.doc)

Editable document for sharing and signature

Print / Save as PDF

Use your browser's print dialog to save as PDF

Save progress (JSON)

Save all data locally and reload later

Load progress (JSON)

Restore a previously saved scoping session

Document preview