Most security tests are scoped to pass. Not to prove anything. Not to expose weakness. Not to move the program forward.

That is the problem.

Security leaders ask for pen tests and red teams, but what they often buy is a checklist. They get a scoped, sanitized simulation designed to avoid risk rather than reveal it. They call it testing, but nothing gets tested. They get a PDF that tells them what they already know, and nothing changes.

Lares was built to fix that. We do not play by artificial rules. We test the way real attackers operate and helped create the Penetration Testing Execution Standard (PTES) to bring structure to what it should look like when done right.

You do not get better by staying safe. You get better by stepping into pressure.

Scoping Is Where the Work Starts

Scoping defines everything. It tells us what is fair game, what outcomes matter, and how hard we are allowed to push. And in most cases, it tells us if the test is serious.

When someone says, "We want to test our security," what they really mean is, "We want to feel more confident." Those are not the same thing.

Confidence is earned. It does not come from excluding production systems, blocking social engineering, or limiting access to off-hours. That kind of scoping is designed to protect the test, not the business.

If your test does not look like a real attack, it is not going to help you survive one.

PTES Was Built for This

Lares helped create PTES because the industry needed a real standard. One that defined what meaningful testing looks like, from start to finish. Not just a list of tactics or tools, but a methodology that connects engagement goals to adversary behavior.

PTES makes it clear: testing is not about vulnerabilities. It is about actions. The attacker has a goal. The test should too.

Scoping under PTES is not about drawing borders. It is about defining how far the adversary can go and what tactics they will use to get there. It creates a shared language between the tester and the client, setting expectations for discovery, movement, and impact.

Without this structure, most "tests" are nothing more than automated scans with some light scripting. You can dress it up with a logo, but it is still a vulnerability assessment. PTES separates real offensive testing from marketing fluff.

Open Scope Is the Only Honest Approach

Attackers do not follow rules. They do not respect business hours. They do not stop because your policy says something is off-limits. And they are not going to warn you before they pivot.

Testing needs to reflect that. If your red team cannot phish employees, exploit a dev box, or move laterally from the finance network, what exactly are you testing?

Open scope is not reckless. It is realistic. You define your risk tolerance, your guardrails, and your objectives. But you do not handcuff the test. You let it play out.

That is how you learn what would happen if someone really came after you.

Safe Tests Waste Time

You can spot a safe test instantly:

• Only external targets
• No social engineering
• No endpoint exploitation
• No lateral movement
• No access to telemetry or real logs
• Restricted hours
• No persistence
• No real payloads

These tests will give you findings. They might even have CVSS scores, but they will not tell you anything meaningful about your security program. They will not show you how fast your team detects, how well your tooling holds up, or how exposed your sensitive data really is.

They create a false sense of progress. They are expensive box-checking exercises.

Scope Should Push You

A good test introduces friction. It uncovers uncomfortable truths. It shows you where your assumptions break down.

If your detection rules never trigger, you learn something. If your SOC misses lateral movement, you learn something. If your MFA gets bypassed because someone clicked the wrong link, that is not failure. That is feedback.

This is where “riding along with the attackers” matters. You do not need to wait for a final report to start learning. Sit in on the test. Watch it unfold. Ask questions. Observe how your team responds in real time. See where the alerts fire, where they don’t, and how fast decisions happen. The ride-along turns testing into an interactive, educational experience. It builds muscle memory.

Scoping should aim for that kind of feedback. It should push your team. It should challenge your stack. It should reveal your blind spots and give you a clear path to fixing them.

Anything less is a waste of time and money.

Your Scope Defines Your Ceiling

Your scope tells us how far we can go. It also tells us how far you are willing to grow.

If you want to improve, you need to scope with intent. Define objectives that matter. Allow room for creativity, discovery, and risk. Let your test mirror the reality of what you are trying to prepare for.

At Lares, we do not scope for convenience. We scope for impact. We do not sell you safety. We show you how your program holds up under pressure. And then we help you make it stronger.

If you are ready for that, we are too.

Let’s pressure test your security program.