Scope of Assessment

What is Scope

Scope defines the exact parts of your application or infrastructure that an AI Pentest is allowed to test.

Defining your scope clearly is one of the most important steps before running a pentest.

Safety: prevents testing systems that are not prepared for scanning
Accuracy: keeps agents focused on the right domains, APIs, or apps
Compliance: provides proof of what was tested and what was excluded
Consistency: allows retests to follow the same boundaries every time

Pentests perform potentially destructive security actions and should only be run on non-production environments that do not contain real customer data.

Only the targets listed in the scope are scanned. Anything not included is ignored and will not be tested.

What to include in the Scope

A scope can contain one or more of the following:

Primary domain such as app.example.com
Subdomains or environments like staging.example.com or api.example.com
Connected systems that belong to the same application

Each target must be owned or controlled by your organization.

Domain ownership verification

Before a domain can be tested, ownership must be verified. This step ensures that Aikido only tests systems you control.

Verification must be completed for every domain included in the scope.

Last updated 8 days ago

Was this helpful?