1. Conduct an initial consultation to gather information on goals and objectives (e.g., testing incident response, identifying vulnerabilities, simulating specific threat actors).
  2. Define the scope by specifying in-scope and out-of-scope systems, networks, and facilities.
  3. Assess the client’s risk appetite to determine acceptable levels of impact and disruption.
  4. Prepare documentation, including contracts, NDAs, and Rules of Engagement (ROE), and finalize agreements.
  5. Identify primary points of contact for communication during the engagement.