You are tasked with a penetration test for a financial institution and have been given a comprehensive list of digital assets to evaluate. Midway through your assessment, you discover a service running on an endpoint that is outside the predefined range. This endpoint appears to be hosting a critical application. Which of the following actions align with the best practices for maintaining the scope of engagement?
Close the service immediately upon discovery to minimize the risk of potential exploitation and notify the client afterwards.
Dismiss the finding to stay within the original stipulations and avoid any unauthorized probing of systems.
Proceed with examining the service, since it might be critical to the client's security posture, and document any findings.
Notify your point of contact or the project lead about the discovery and await further instructions.