Exactly which systems, networks, and applications are in scope - **Timing** — When testing may occur (business hours, after hours, maintenance windows) - **Techniques** — Which exploitation techniques are permitted (e.g., denial of service may be prohibited) - **Data handling** — How sensitive data