Home / Blog / General / How to write a penetration testing brief

November 11, 2019

Penetration testing is a core tool used to analyse the security of IT systems. Done well, it can tell you where your vulnerabilities lie, how well your existing protocols are working and what more needs to be done to lower your levels of risk.

But it is not a one-size-fits-all solution – and as such, it requires proper commissioning.

This article will help you identify the most important considerations to bear in mind when writing a brief and the limitations of this type of cyber assessment.

It’s also important to acknowledge that the results of a penetration test are really just a snapshot in time. The threat landscape is constantly evolving, so what is working today won’t necessarily prevent an attack this time next year.

That’s why regular pen testing is recommended – and why getting the briefing process down to a fine art will be of long-term benefit.

How to write a penetration testing brief

Creating a brief for a penetration test

Nobody knows your business quite like you do – and that’s important when you’re creating your pen testing brief. You know your system. You know your assets. You know what makes you a target.

This information, together with some insight as to why you are running the test, will be helpful for the testers and should be defined in the brief.

Think about the scope

The scope of the penetration test defines the parameters of what is being tested. For example…

  • Do you want your testers to assess the human element of your cyber security?
  • Can employees be lured by phishing emails?
  • Is everyone keeping their passwords safe?
  • Has someone propped the back door open, etc.

Or would you prefer to leave that out of the equation and stick to testing the network?

Set objectives

What do you expect the pen test to deliver? By setting your objectives from the outset, you won’t be disappointed with the end result. Need to prove regulatory compliance? Say so. Are you testing the defences in your IT department? Make that clear. Want a road-map for future security planning? Ask for it.

Set appropriate budgets

By defining the scope and your objectives, you will help your testers come up with a quote. But it’s still for you to allocate the appropriate budget to the project, while considering the scale and complexity of your requirements.

Determine the right type of test

There are four main groups of penetration test – external network, internal network, web application and social engineering. Read up on what all this means here. The type you are drawn to will likely depend on your main areas of concern (perhaps your online app, or your employees).

A good pen tester will not be limited by the type of test you choose, but will use a mix of techniques to deliver a test that is tailored to your scope and objectives.

Trust your testers

Penetration testing is just hacking for good instead of evil – so make sure you choose the right testers. We’ve written an article about what penetration testing certifications you should insist on and we’d really recommend you read it before moving ahead with the project.

There are a couple of different schemes designed to give you peace of mind. Some are even designed for specific industries.

Ask for references

Even if a company is certified, it doesn’t necessarily mean they are right for you. Ask for references and speak to the tester’s customers about their experience before choosing your service provider.

Penetration Testing.

Be prepared

The penetration test itself could have an impact on ‘business as usual’. Define protocols for a service disruption, just in case. Carry out a full-system back-up before the test begins and allocate the appropriate personnel and technical resources for the duration of the test.


Before going ahead with the test, remember that there are four main limitations to any penetration test.

  1. Penetration testing isn’t magic – it doesn’t guarantee that you’re 100% secure
  2. Tests are time-limited – both your system and the threat landscape are dynamic and as such the test can only provide a snapshot in time
  3. Anything not included in the scope is unseen – it’s unlikely that you would want to ‘hack everything’
  4. Humans are a weak link – the human element (social engineering) is as important as technical infrastructure

Further reading

About Comtact Ltd.

Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).

Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.