Boundaries
Authorization and scope discipline matter before any technical depth does. These notes describe the limits that keep review work lawful, calm, and interpretable.
- Written authorization before testing
- No activity outside approved scope
- Only necessary evidence is collected and handled confidentially
Authorization and Scope
- Written authorization is required before testing starts.
- Targets and environments should be explicitly named.
- Testing windows should be agreed and documented.
- Only approved targets should be reviewed.
- No activity is performed outside approved boundaries.
- Testing depth should match the stated objective.
Evidence Handling
- Findings should be recorded only to support analysis and reporting.
- Collected evidence is handled confidentially.
- Retention should be limited to a clear operational need.
- No staged attack simulation outside agreed scope.
- No compliance certification claims.
- No scanning of unknown third-party systems.
Reading This Practically
These are method notes rather than an intake checklist. They exist to make the assumptions around authorization, safety, and evidence explicit.
At minimum:
- Know who owns the target system
- Know exactly which assets are in scope
- Know who can approve deeper validation
- Know what evidence should and should not be retained