# Scope of Assessment

## What is Scope

Scope defines the exact parts of your application or infrastructure that a pentest is allowed to test.

Defining your scope clearly is one of the most important steps before running a pentest.

* **Safety**: prevents testing systems that are not prepared for scanning
* **Accuracy**: keeps agents focused on the right domains, APIs, or apps
* **Compliance**: provides proof of what was tested and what was excluded
* **Consistency**: allows retests to follow the same boundaries every time

{% hint style="danger" %}
Pentests perform potentially destructive security actions and should only be run on non-production environments that do not contain real customer data.
{% endhint %}

Only the targets listed in the scope are scanned. Anything not included is ignored and will not be tested.

## What to include in the Scope

A scope can contain one or more of the following:

* Primary domain such as app.example.com
* Subdomains or environments like staging.example.com or api.example.com
* Connected systems that belong to the same application

Each target must be owned or controlled by your organization.

### Domain ownership verification

Before a domain can be tested, ownership must be verified. This step ensures that Aikido only tests systems you control.

Verification must be completed for every domain included in the scope.