Which action must a pentester take before beginning a penetration test to ensure the assessment is legally compliant?

• A. Implement the test immediately without notice.
• B. Hire external auditors.
• C. Review marketing plan.
• D. Define the scope of engagement, including in-scope assets like IP address ranges, APIs, and cloud resources, and ensure all parties agree on the terms.

Answer: (D)

Defining the scope of engagement and obtaining written agreement from all parties establishes the legal permission and boundaries needed to perform a penetration test. By specifying in-scope assets such as IP address ranges, APIs, and cloud resources, along with terms, testing windows, data handling rules, and reporting expectations, you create a formal, auditable authorization that prevents unintended targets and limits risk. This written scope is what differentiates a legitimate assessment from unauthorized activity, guiding what techniques are allowed and when. Actions like testing without notice don’t provide lawful approval, and ancillary steps like hiring auditors or reviewing unrelated plans don’t establish the necessary permission or boundaries.