In-scope IP addresses, domains, URLs, and applications (explicit listing) - Out-of-scope items (with reasons) - Any systems that require special handling (fragile systems, production databases)