CyberLeveling Logo
What Every Pentester Should Ask Clients

What Every Pentester Should Ask Clients Before Testing Public Web and Infrastructure

External pentests fail quietly all the time.

Not because the pentester lacks skill.
Not because the tools are wrong.
But because the engagement starts with assumptions instead of understanding how the organization actually exists on the public internet.

An external pentest is not just about what is reachable.
It is about what is exposed, trusted, connected, and assumed to be safe.

These questions exist to prevent wasted effort, missed risk, and reports that do not change anything.

Why External Pentests Need Different Questions

Public-facing environments behave differently from internal ones.

They are:

  • shaped by DNS and hosting decisions
  • influenced by legacy and forgotten systems
  • constrained by uptime and customer impact
  • often poorly documented

Attackers see the public edge, not your org chart.
Your questions need to reflect that.

Purpose and Expectations

  1. Why are you doing this external pentest right now?

    Are they preparing for a launch, responding to customer pressure, validating assumptions, or reacting to an incident? The reason defines what “good coverage” actually means.

  2. What decision will this pentest influence?

    Shipping, accepting risk, investing in fixes, or changing architecture. If no decision depends on the outcome, expectations are already misaligned.

  3. What does success look like for you?

    Some clients want reassurance. Some want a reality check. Some want proof they are not missing something obvious. Zero findings is rarely the real goal.

  4. Who will read and act on this report?

    Engineers, security teams, leadership, customers, or auditors. External pentest reports often travel far. Write accordingly.

Scope, Exposure, and Reality

  1. What domains, IP ranges, and services are officially in scope?

    This sounds basic, but ambiguity here kills engagements. Clarify: primary domains, subdomains, APIs, cloud front doors, and third-party hosted assets.

  2. Does this scope reflect how an attacker would actually interact with you?

    This is the most important scope question. Is scope driven by real attack surface or organizational ownership and contracts? Attackers do not care who owns what.

  3. What public-facing assets are you least confident about?

    This often includes old subdomains, legacy apps, acquisitions, and temporary services that became permanent. Uncertainty is where real findings usually live.

  4. What attack paths does this scope intentionally exclude?

    Make exclusions explicit. This prevents false confidence, incorrect assumptions, and surprise findings being dismissed later.

  5. If we find a path that crosses scope boundaries, how should we handle it?

    External attackers do not respect scope. You need agreement in advance on when to stop, when to escalate, and how to report it.

Business and Risk Context

  1. Which public-facing systems matter most to the business?

    Not all external assets are equal. Ask which ones handle authentication, process payments, expose sensitive data, or act as gateways to internal systems.

  2. What would be the worst realistic outcome of an external compromise?

    Data exposure, account takeover, fraud, service disruption, brand damage. This defines impact far better than vulnerability severity.

  3. What assumptions do you believe are safe about your external perimeter?

    Common assumptions include: “This system is isolated,” “No one uses this anymore,” “That account would never be targeted.” Assumptions are where attackers focus.

Environment Stability and Constraints

  1. What is likely to change during the engagement?

    Deployments, migrations, DNS changes, traffic shifts. External environments change constantly. Findings exist in time.

  2. What level of disruption is acceptable on public systems?

    Rate limiting, auth flows, production traffic. External pentests must respect uptime and user experience.

  3. Are there fragile systems we need to be especially careful with?

    Some public services break easily even if they are not critical. Knowing this upfront prevents incidents.

Detection, Monitoring, and Response

  1. What do you expect to detect during this test, if anything?

    Some organizations want to test WAFs, alerting, and SOC workflows. Others do not want alerts triggered at all. Clarify this early.

  2. Should defenders respond as if this activity is real?

    External tests often overlap with real attack traffic. You need to know whether this is silent testing, purple-team style, or detection validation.

  3. If something looks serious, who do we contact and how quickly?

    This is non-negotiable. External issues can escalate fast. You need clear escalation paths.

Data Handling and Proof

  1. What data should we absolutely avoid touching or extracting?

    External access does not mean all data should be accessed. Agree on boundaries to avoid legal and trust issues.

  2. How should we demonstrate impact safely?

    Screenshots, metadata, limited proof-of-access, mock accounts. Agreeing on proof prevents overreach.

Risk Ownership and Follow-Through

  1. How will findings from this external pentest be prioritized?

    CVSS, business impact, exploitability, customer exposure. Your report should match how decisions are actually made.

  2. Who owns remediation for external-facing issues?

    External findings often span app teams, infra teams, and third parties. Without ownership, fixes stall.

  3. What does acceptable external risk look like to you?

    Some exposure is intentional. Understanding tolerance helps you frame recommendations realistically.

  4. Who decides whether a public-facing issue is accepted or fixed?

    This is often a business decision, not a technical one. Know who makes it.

Legal and Boundary Conditions

  1. Are there legal, regulatory, or contractual constraints we must respect?

    Bug bounty overlap, third-party providers, customer data, regional laws. Never assume.

  2. What should we do if we discover a critical issue outside scope?

    External attack surface is messy. You need a plan before it happens.

Closing the Loop

  1. Will there be a readout or discussion after delivery?

    External pentest reports without discussion often fail to change anything. Conversation turns findings into action.

  2. What would make this external pentest a waste of time for you?

    This question surfaces past frustrations, fear of noise, and expectations around realism. Listen carefully.

  3. After this pentest, what do you hope is clearer?

    Good answers sound like: “We’ll know our real exposure,” “We’ll know where attackers would focus,” “We’ll know what we can safely ignore.” That is the real value of an external pentest.

Final Thought

An external pentest is not about finding every bug.
It is about understanding how the public sees you.

Attackers do not care about scope documents or org charts.
They care about what is reachable, trusted, and neglected.

Asking better questions before testing is how you make sure your work reflects that reality.

Tools find issues.
Questions make pentests matter.