Understanding the limitations and boundaries of the test environment goes hand in hand with the client requirements, which can be justified as intentional or unintentional interests. These can be in the form of technology, knowledge, or any other formal restrictions imposed by the client on the infrastructure. Each limitation imposed may cause a serious interruption to the testing process and can be resolved using alternative methods. However, note that certain restrictions cannot be modified, as they are administered by the client to control the process of penetration testing. We will discuss each of these generic types of limitations with their relevant examples as follows:

• Technology limitations: This type of limitation occurs when the scope of a project is properly defined, but the presence of a new technology in the network infrastructure prevents the auditor from testing it. This happens only when the auditor does not have any penetration testing tool that can assist in the assessment of this new technology. For instance, imagine that a company has introduced a robust GZ network firewall device that sits at the perimeter and works to protect the entire internal network. However, its implementation of proprietary methods inside the firewall prevents any firewall assessment tool from working. Thus, there is always a need for an up-to-date solution that can handle the assessment of such a new technology.
• Knowledge limitations: The knowledge limitations of a penetration tester can have a negative impact if their skill level is limited and they are not capable of testing certain technologies. For example, a dedicated database penetration tester would not be able to assess the physical security of a network infrastructure. Hence, it is good to divide the roles and responsibilities according to the skills and knowledge of the penetration tester in question, so as to achieve the required goal.
• Other infrastructure restrictions: Certain test restrictions can be applied by the client to control the assessment process. This can be done by limiting the view of an IT infrastructure to include only specific network devices and technologies that need assessment. Generally, this kind of restriction is introduced during the requirement gathering phase; for instance, testing all the devices behind a given network segment, except the first router. Such a restriction imposed by the client does not ensure the security of a router in the first place, which can lead to a compromise across the whole network, even if all the other network devices are hardened and security-assured. Thus, proper thinking is always required before putting any such restrictions on penetration testing.

Profiling all of these limitations and restrictions is important and can be carried out while gathering the client requirements. A good penetration tester's duty is to dissect each requirement and hold a discussion with the client to pull or change any ambiguous restrictions that may cause an interruption to the testing process or result in a security breach in the near future. These limitations can also be overcome by introducing highly skilled penetration testers and an advanced set of tools and techniques for the assessment, although, by nature, certain technology limitations cannot be eliminated, and you may require extra time to develop their testing solutions.