A client has provided you with the rules of engagement for an upcoming penetration testing exercise on their e-commerce platform. However, the client has not specified any constraints regarding the time of day the testing should occur. Which of the following is the MOST professional approach to handle this situation?
Schedule the testing during typical off-peak hours for e-commerce platforms to minimize potential impact.
Seek clarification from the client regarding preferred testing times to avoid disruption to their business operations.
Assume testing is allowed during business hours as no constraints were mentioned and proceed with the planned activities.
Suggest that testing be performed during evening hours assuming it is less likely to affect the client's operations.
When the time of day has not been explicitly stated in the rules of engagement, the professional approach is to seek clarification from the client. Explicitly confirming this aspect helps ensure that testing does not interfere with peak business hours or scheduled maintenance and backups, which could affect system performance and the customer experience. Skipping this step could lead to unintended downtime or other issues that may even breach the terms of the agreement unknowingly. Assuming the time or suggesting evening hours without confirmation could result in testing during inappropriate times, while scheduling during off-peak hours without approval might not align with the client's expectations or system usage patterns.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are rules of engagement in penetration testing?
Open an interactive chat with Bash
Why is it important to confirm testing times with the client?
Open an interactive chat with Bash
What could happen if testing is conducted during peak business hours?