During the kickoff meeting, the client emails your team three internal /24 network ranges, two public IP blocks, and several fully qualified domain names that must be assessed during a one-week test window. The client also warns that cloud-hosted assets may appear during discovery. Which action will best ensure the testing stays strictly within the authorized boundaries?
Obtain a precise list from the client and confirm it matches the agreement, removing any unspecified addresses
Gather information from all addresses to identify anything that responds and include them in the test
Investigate additional endpoints if they appear during scans to cover all potential weaknesses
Exclude addresses that do not return active responses during initial scans
Confirming exact scope details in writing and excluding anything not specified helps testers avoid unauthorized activities. One option suggests scanning everything, which can exceed boundaries. Another suggests excluding networks based on responsiveness, which risks omitting critical resources. Another recommends investigating new endpoints when discovered, which may overstep the agreement. Ensuring all items match the contract eliminates guesswork and keeps testing within the agreed scope.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is it important to confirm the scope of testing in writing?
Open an interactive chat with Bash
What risks are associated with testing addresses or endpoints not specified in the agreement?
Open an interactive chat with Bash
How do testers handle endpoints discovered during scans that are not part of the agreed scope?