Blame The Penetration Tester


I Swear it Wasn't Me

Penetration testing, a vital component of cybersecurity, helps organizations identify vulnerabilities and strengthen their security posture. However, occasionally, issues arise during assessments, leading to misunderstandings and blame directed towards the penetration testers. This blog post explores the challenges faced by penetration testers when blamed for incidents and proposes a preventive approach: setting firewall rules on the penetration tester’s side to deny access to out-of-scope resources. By implementing this approach, both clients and testers can foster accountability and promote a more effective and secure testing process.

Understanding the Challenges

Lack of Clarity: Sometimes, organizations fail to clearly define the scope and boundaries of a penetration test, leading to ambiguous expectations and potential misunderstandings when incidents occur.

Unintended Consequences: Exploiting vulnerabilities during assessments may inadvertently cause disruptions or unexpected consequences in live systems, resulting in blame being placed on the testers.

Perception of Recklessness: Clients may perceive penetration testers as reckless or malicious when something goes wrong, potentially damaging the trust between the two parties.

The Role of Firewall Rules

To mitigate blame and improve accountability during penetration testing assessments, implementing firewall rules on the tester’s side is a practical and effective approach. Here’s how it can help:

Segregation of Network Access: By setting up firewall rules, testers can explicitly deny access to out-of-scope resources, effectively isolating their activities from critical systems and sensitive data.

Clear Demonstration of Intent: Firewall rules serve as tangible evidence of the tester’s commitment to adhere to the agreed-upon scope. They demonstrate a proactive approach to avoid unintended consequences and potential disruptions.

Preventing Accidental Escalation: Firewall rules act as a safeguard, preventing accidental access or unintended actions that could escalate into larger issues or disruptions.

Implementing Firewall Rules

Pre-Assessment Planning: Before initiating a penetration test, establish clear communication with the client to define the scope and boundaries of the assessment. Discuss and document the resources that are out of scope and should be protected.

Rule Configuration: Configure firewall rules on the penetration tester’s side to explicitly deny access to out-of-scope resources. This may involve IP address-based filtering, port-based restrictions, or other relevant network filtering techniques.

Regular Review and Updates: Continuously review and update the firewall rules as the assessment progresses, ensuring that any changes in scope or new findings are appropriately reflected in the rule configuration.

Documentation and Reporting: Document the firewall rules implemented during the assessment, including the rationale behind them, and provide this information in the final assessment report. This documentation helps clarify the tester’s intentions and contributes to a more transparent process.


Blaming penetration testers for incidents that occur during assessments can hinder effective security testing and strain relationships with clients. By implementing firewall rules to deny access to out-of-scope resources, testers can proactively prevent unintended consequences and demonstrate accountability. This approach fosters trust, enhances communication, and ensures a more productive and secure penetration testing process for all parties involved.

Please note that while the proposed approach can help mitigate blame, it is essential to tailor it to specific assessment scenarios and adhere to the guidelines and requirements set by both the client and industry best practices.

Your Home Page for Information Security News

About Joe Sullivan 35 Articles
Joe Sullivan has worked in information security for over two decades. He holds numerous certifications and has worked in various roles during that time. Joe is a SANS instructor and senior security consultant for TrustedSec. Joe regularly contributes to SecFlux and shares some of his experiences, knowledge, and insight into current cyber events.