Skip to content

Mid-engagement you discover an exploitable host that is clearly NOT in the agreed scope. What do you do?

Short answer

Authorization defines the engagement, so testing outside the agreed scope is potentially illegal and breaches the rules of engagement no matter how tempting the target. Document what you saw, stop, and obtain written client approval before going further. Exploiting for 'more findings' is never a justification for unauthorized access. Quietly exploiting it if you think you won't be caught is both unethical and a crime, and self-extending the scope strips the client of informed consent.

A penetration test is legal only because the client authorized it in writing, and that authorization is bounded by a defined scope. The moment you touch a host outside that boundary, you are no longer doing a sanctioned test — you are committing unauthorized access, which is a crime in most jurisdictions regardless of intent.

Why stopping and confirming in writing is correct

The professional move is to stop, leave the host untouched, and escalate to the client so they can decide whether to extend scope. If they agree, you get the change in writing — an amended scope or a signed authorization — before you proceed. This keeps you legally protected and preserves the client's informed consent. You can still note that the host appears reachable and potentially exploitable; observing it from within authorized scope is fine, but actively exploiting it is not.

Why the other options are wrong

  • Exploit it for "more findings." A bigger report is worthless if it was produced through illegal activity. This exposes you and your firm to liability and destroys client trust.
  • Quietly exploit it if you won't be caught. This reframes the test as the very crime you're hired to help prevent. "Won't be caught" is not an authorization model — it's the mindset of an attacker.
  • Add it to scope yourself. Having network access is not the same as having permission. Self-extending scope removes the client's ability to consent and may put production systems or third-party assets at risk.

What an interviewer is probing

They want to see that you treat authorization, not capability, as the limiting factor. A strong candidate instinctively reaches for the rules of engagement and the client contact rather than the exploit. Ethics and discipline under temptation are exactly what separate a trustworthy tester from a liability, and this scenario is designed to reveal which one you are.

Likely follow-ups

  • What in the rules of engagement governs how scope changes are authorized?
  • How would you document the out-of-scope host without testing it?
  • What legal exposure does an unauthorized test create for you and your firm?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.