Discuss black-box versus crystal/white-box testing while building your rules of engagement (RoE), noting that crystal box testing often provides more detailed results, is safer, and delivers better business value.

Make sure you get written permission to test any third parties that own or operate target systems (MSSPs, cloud providers, ISPs, shared hosting environments, border routers, DNS servers, etc.)

Discuss with target system personnel the particularly sensitive information they have in their environment (such as PII) and how you can measure access to it without actually downloading it. Consider going after generic sample records planted to demonstrate your access instead of the actual sensitive data.

Carefully consider all interactions with third-party servers and searches to ensure you do not divulge sensitive information about the target or violate a non-disclosure arrangement by using them. You may want to consider using the TOR network to obscure your relationship with the target organization.

Look for common office documents posted on target websites by using Google searches for: site:<TargetDomain> ext:doc | ext:docx | ext:xls | ext:xlsx | ext:pdf

Remember to check social networking sites (especially LinkedIn, Facebook, and Twitter) to learn about target personnel and the technologies they use.

Use the Shodan search engine’s “net:” directive to look for unusual or interesting devices in the target network address ranges. Also, use unique footer information (such as a common copyright notice on target web pages) to find additional pages via Shodan using the “html:” directive.

Double-check that all IP addresses included in the scope belong to the target organization and aren’t a mistake. Use whois lookups and traceroute to check that the addresses make sense and actually belong to the target organization.

In LinkedIn, look for long-term IT and InfoSec employees to see which technologies they are familiar with, including firewalls, development environments, and more.