What action must a pentester take before beginning a legally-compliant penetration test?

Before commencing a legally-compliant penetration test, it is vital to define the scope of engagement and obtain agreement from all involved parties. This step ensures that both the pentester and the client have a mutual understanding of what will be tested, the boundaries of the test, and the objectives to be achieved. Defining the scope helps prevent any misunderstandings about what constitutes authorized testing and delineates the systems, networks, and applications that are included in the engagement.

Obtaining explicit agreement also provides legal protections for the pentester and the client. This formalization typically involves creating a contract that outlines the terms, conditions, and expectations of the penetration test. Such agreements help to mitigate potential legal issues that could arise from unexpected actions during the test, ensuring that both the client and pentester are aligned on the goals and limitations of the engagement.

Engaging in other activities, such as starting tests without approval or not defining the scope, can lead to unauthorized actions which may have legal ramifications. Additionally, activities like preparing a report without first conducting the test or conducting a preliminary vulnerability assessment without clarity on what to assess undermine the structured approach required for a successful and compliant penetration testing effort.