Pentesting Success: Mastering the Presale and Scoping Process

Unlock the full potential of your pentests by asking the right questions during meetings with potential clients

The success of a penetration test is determined not just by the vulnerabilities you uncover, but by how well you understand your client’s business before the test even begins. The scoping phase is where the real value is defined. A well-defined scope not only aligns the test with your client’s needs but also ensures that you, as the tester, deliver actionable insights that directly protect their business.

Background and introduction

Throughout my cybersecurity career, I have always gravitated towards working in smaller, specialized teams, where the impact and responsibility of each individual is high. Unlike in large organizations with extensive penetration testing teams, smaller teams provide the opportunity to take full ownership of every aspect of a project. From the initial client contact to the presentation of the final report, and then again when contacting repeat clients. This has allowed me to grow at an accelerated pace as a penetration tester, but also as a consultant in general.

Being responsible for all phases of the process, including sales and scoping, has given me a good insight on the importance of the scoping phase in particular. After handling numerous pentests, I’ve found that the scoping process is by far the most important step. It will help you thoroughly understand the client’s needs, which in turn will increase the likelihood of closing the sale by demonstrating your understanding of their business. In addition to this, a well-executed scoping phase leads to better output and value of a test, increasing the chances of repeat business.

The scoping phase sets the groundwork for everything that follows and helps align the expectations of both the client and the pentesting team, ultimately maximizing the value of the penetration test. In this article we’ll explore the key questions you should ask during the scoping phase, and the goals you should have in mind to maximize the effectiveness and value of the pentest. Before diving into technical considerations, you need to understand your client’s business context. This will allow you to focus your testing where it matters.

Understanding the client’s business for maximum impact

To maximize the value of your test, you need to be able to go beyond the technical aspects and understand what actually matters to the client. A lot of the work you do on this subject should be done before you ever meet the client.

• What industry does their business operate in?
  This helps identify industry-specific risks, such as targeted attacks on healthcare or finance.

• What specific threats are most common in this sector?
  Is this industry usually targeted by ransomware groups, APT’s or other threat actors?

• What is probably their most critical business asset?
  Is it customer data, intellectual property, financial information, something else? This will help you recommend the goals of the penetration test.

• What cybersecurity frameworks or standards do they need to follow?
  This could help you understand if the motivation for purchasing the test comes from within or from a requirement of some framework.

• Any recent cybersecurity incidents or breaches that have affected them, or in their sector?
  This could also help you understand the motivation for them being interested in doing a pentest, and recommend test scenarios that test their resiliency against similar attacks.

• What are their most likely security concerns?
  Customers reading data from other customers? Sabotage? Industrial espionage? Opportunistic ransomware attacks? Downtime? Havin an opinion on this ahead of time will give you the knowledge you need to help the customer understand the best attacks to test for.

• Do they have a customer portal, web application or similar?
  Do some research on it. Register a user if it is easily done. What frameworks are used to build it? What functionality does it have?

Build yourself a knowledge base on the customer that will impress them when you first meet. It does not take much to be well prepared, and not too many people actually focus on this. This will make you stand out. Once you’ve done your homework, it’s time to ask the right questions during the presale meeting. These conversations not only help you gather crucial information but also establish your expertise.

Questions to ask during presale and the first meeting

Since you are entering this meeting well-prepared, it will be much easier to have a good conversation with the client. During your preparation, you might have found interesting bits of information, some questions will have come up for sure, and maybe you even had some security concerns about the way they do business that you can share with them.

Use this preparation to the fullest. Even though you know something, ask them questions about it to either fill time while thinking of where to take the conversation next, or demonstrate your knowledge while asking a question like:

“To me it seems like the most consequential attack against your business would be some form of industry espionage, as it could be fatal if a competitor could steal the recipe of your secret sauce. What is your take on this, what do you think are the most important security concerns for your company?”

Other questions you can ask during this first meeting could be:

• Can you give me a brief overview of your business? What do you see as the most critical aspects of your operation from a security perspective?
  This question helps you not only understand the client’s core business but also their perspective on which operational areas are most vital to protect. By framing it this way, you’re encouraging the client to reflect on security in relation to their primary business functions, giving you insight into the potential impact of a breach on their operations.

• Can you walk me through your current IT infrastructure, including any cloud environments, on-premises systems, or hybrid setups? What critical applications does your business rely on most?
  This question gives you a structured understanding of their infrastructure, including different environments that may require different security considerations. Cloud, on-premises, and hybrid systems all have unique vulnerabilities, and this question helps you identify which aspects of the infrastructure need the most attention during the pentest.

• What type of sensitive data does your organization handle? Personal data, financial records, intellectual property?
  This question helps you identify the most sensitive assets within the organization and understand how the client ranks their importance. Different types of data require different levels of security, and knowing how the client prioritizes them helps you recommend the right focus areas for the pentest.

• What are your largest security challenges that your organization is currently facing?
  This question encourages the client to articulate their current security pain points. It shifts the conversation to immediate or ongoing issues they are experiencing, whether that’s increasing phishing attacks, ransomware threats, or internal vulnerabilities. This helps you prioritize which attack vectors to test for. It also helps you pinpoint the specific areas where the client feels most vulnerable. Understanding their current challenges helps ensure that the pentest addresses their most pressing security concerns, which increases the value of your services.

• Are there specific types of threat actors or attack scenarios that worry you the most, based on your industry or previous experience?
  This is more specific than the previous question and is designed to dig deeper into the types of attackers they fear most. For example, they may be worried about nation-state actors, insider threats, or sophisticated cybercriminals. Understanding these fears allows you to simulate relevant attack vectors during the pentest. For example, a healthcare organization might worry about data breaches targeting personal health information (PHI), while a tech firm might be more concerned about intellectual property theft.

• Do you have any third-party vendors or partners who access your network or sensitive data?
  This is a specific question that highlights what is usually a painpoint for clients, and also highly topical as supply chains are the focus of many of the newer security frameworks. You’re looking to identify if third-party access represents a significant risk and if the client has strong vendor management practices. If weaknesses are found, this could lead to testing for supply chain vulnerabilities or recommending stronger controls around third-party access. It could also provide a perfect starting point for an “assumed breach” test.

• Have you conducted penetration tests or security assessments of your infrastructure in the past?
  This question gives you insight into the client’s previous experience with pentests or security assessments, and more importantly their maturity level. Understanding the client’s maturity level is essential for recommendation a test type and methodology that will provide value. For example, an expensive Red Team engagement on a client with low maturity will be mostly a waste of money, while recommending them to start with a simple vulnerability assessment could be the start of a long relationship with a loyal customer. If they have higher maturity, it will inform your current approach by either building on previous efforts or filling gaps in areas that may have been overlooked in the past.

• How did the previous tests compare to your expectations? Were there any specific areas where you felt more attention was needed?
  Learning from your mistakes is good, learning from previous tester’s mistakes is even better. This follow-up helps you understand whether the client felt their expectations were met during past testing engagements. If there were gaps, you can focus your pentest on those areas, ensuring they get a more complete service this time around. The goal is to uncover any dissatisfaction or unmet expectations. This helps you tailor your approach, ensuring you focus on areas where the client felt previous assessments lacked depth or impact, and showing that you are focused on improving their experience.

Optimally, another person on the call or in the meeting should take notes so you can give the client your full attention, to learn as much as possible. This will not only make the test more valuable for the client, but also more enjoyable for yourself, as every test will have a clearer goal, and the client will be more invested.

By using these questions, you can dig deeper into the client’s specific security needs, ensuring that the penetration test aligns closely with their business operations, risk profile, and security objectives.

Conclusion

This is obviously not an exhaustive list of the questions you should ask the client, and some obvious ones relating to scope size and rules of engagement are left out. These you can easily look up in the Penetration Testing Execution Standard (PTES) or similar frameworks. This is just a few thoughts I have on getting to know a potential client, and I might add on this with more articles in the future.

The scoping phase should never feel like just a checklist, it’s an opportunity to build trust, demonstrate expertise, and align your test with your client’s unique needs. By mastering both the presale and scoping phases, you position yourself not only as a tester but as a trusted advisor who can deliver long-term security value. Take the time to ask the right questions, and you’ll not only ensure a successful test but also build a relationship that lasts.

By taking the time to understand the unique security needs of your client, you not only increase the chances of delivering a successful test but also establish yourself as a trusted advisor. This collaborative approach fosters long-term client relationships, making you their preferred resource for future cybersecurity engagements.