During the client acceptance phase of a penetration test, which action is MOST important?

• A. Ensuring the client fully understands and agrees to the terms, scope, and outcomes of the penetration test
• B. Ensuring the testing team completes the work within budget
• C. Scheduling the engagement without client input
• D. Providing only technical findings to the client

Answer: (A)

Clear agreement on terms, scope, and outcomes with formal authorization is the main thing being tested. Obtaining written approval from the client before any testing begins ensures everyone understands what will be tested, how it will be done, and what the expected deliverables are. This creates a legal and contractual basis for the engagement, prevents scope creep, and defines the rules of engagement so the testers stay within agreed boundaries and the client understands potential impacts and limitations. While budget, scheduling, and how findings are delivered matter, they do not replace the need for explicit consent and a well-defined scope. Scheduling without client input and presenting only technical findings bypass the essential authorization and shared understanding that make a penetration test legitimate and effective.