In pentesting, what can be selected as targets by stakeholders?

In penetration testing, stakeholders identify and select specific targets that align with their security assessment objectives. Choosing IP addresses and URLs is essential because these targets encompass a broader range of potential vulnerabilities within an organization's infrastructure. This selection allows pentesters to explore various attack surfaces, including both web applications and network devices, thus providing a more comprehensive evaluation of the organization's security posture.

Focusing on individual applications or single-user applications would limit the scope of the penetration test. Stakeholders typically aim to assess their overall security, which includes multiple components, rather than just specific applications or user-level contexts. Additionally, restricting the targets to only external networks does not consider internal assets that are vital for a thorough assessment. Therefore, selecting IP addresses and URLs provides the necessary breadth and flexibility to effectively evaluate an organization's security vulnerabilities.