During the initial meeting with a client for a penetration testing project, the client specifies that they want a comprehensive assessment of their infrastructure within a strict timeline. However, the client has numerous third-party hosted services that are critical to their operations. As an ethical hacker, which of the following steps is MOST important to perform next?
Advice the client that testing third-party services is not required since it is beyond the client's direct control.
Assume responsibility for any legal issues with third-party vendors that might arise during the testing procedure.
Validate the scope of engagement by questioning the client and reviewing the contracts pertaining to the third-party services.
Immediately start testing the client's internal network to map out all accessible devices and services.