Effective scope management is essential for ensuring security testing aligns with your organization’s priorities, compliance requirements, and operational boundaries. ETHIACK provides flexible tools to manage your attack surface, enabling you to define what should and should not be tested.
This guide explains how to configure and manage your in-scope and out-of-scope assets within the ETHIACK platform.
What is the Scope in Security Testing?
In the context of offensive security testing, scope defines which assets are authorized for testing. ETHIACK uses scope definitions to enforce boundaries across both automated and human-driven testing.
Assets can be:
- In-Scope: Assets that are explicitly authorized for testing.
- Out-of-Scope: Assets that are excluded from any form of testing, monitoring, or exploitation.
This is an important step since correctly configuring the scope ensures:
- Legal and contractual compliance
- Avoidance of service disruption to critical or third-party systems
- Prioritization of testing efforts on relevant infrastructure
How to Manage Scope for an Event
The scope is defined per event, meaning each event can target a specific set of assets. You can assign assets as in-scope or out-of-scope using one of the 2 following ways:
Option 1: From Inside an Event
- Go to the Events section.
- Select the relevant event.
- Click the "Edit" button under either:
- Assets In Scope
- Assets Out of Scope
- You will be redirected to the Assets Management interface, where you can configure the scope.
Note: When this option is selected, a filter for the event is applied. Additionally, a Status filter is also active, based on the "In Scope" or "Out-of-Scope" option selected in the previous step.
To view all assets, you need to set both filters accordingly:
- Change the Event filter to 'All'
- Click on Status and select the 'All' option.
Option 2: From the Global Assets Page
- On the left-hand menu, click Assets.
- Here you’ll find the full list of assets associated with your organization.
Defining Asset Scope from the Assets Page
You have two ways to define scope from this page:
A. Direct Selection (Per Asset)
- Locate the asset (e.g., a domain or subdomain).
- Click on the scope label beside it (e.g., In Scope, Out of Scope, Not in Event, Wildcard) and choose the desired status in the dropdown.
Example:
B. Bulk Selection (Multiple Assets)
- Use the checkboxes on the right side of each asset to select multiple entries.
- Click on the gear icon at the bottom right and select Manage Events Scope.
- A modal will open showing all available events.
- For each selected event, choose one of the following options:
- In Scope
- Out of Scope
- Not in Event
- Click Apply Changes to confirm.
Example:
Setting Asset Importance and Deleting Assets
Within the asset management interface, you can assign a priority level to each asset or remove assets entirely from your list.
For the Asset Importance, each asset can be marked with a priority level:
- High Importance - Assets marked as high importance will receive greater attention from the ETHIACK artificial hackers. These are typically assets that are critical to your operations or have higher exposure.
- Medium Importance - Assets of standard relevance, which will be tested with normal priority. This is the default for most digital infrastructure components.
- Low Importance - Non-critical assets that can be deprioritized. The ETHIACK artificial hackers will consider them lower priority, meaning they may be tested later in the process or less frequently.
Assigning the right level of importance helps optimize the testing workflow and ensures high-risk areas receive immediate attention.
Note: You can adjust the importance level using the action menu next to each asset in the list.
Deleting Assets
If an asset is no longer relevant or was added by mistake, you can remove it using the Delete option in the same menu. Once deleted, the asset will be removed from your asset list and will not be considered for any future testing or included in any event scopes.