The tester needs to set up multiple meetings with the customer to understand their requirements. The outcome should include but not be limited to the following:

• Security compliance that the customer wants to comply with
• Requirements and code of conduct (if any) stated in respective security compliance 
• List of network segments in scope
• List of network security devices in scoped network segments
• List of assets to scan (along with IP ranges)
• List of assets exposed to a public network (along with IP ranges)
• List of assets that have network-wide access (along with IP ranges)

• List of business-critical assets (along with IP ranges)
• List of acceptable vulnerability assessment tools in the customer environment
• Availability of licenses for tools suggested by customer or accomplice
• List of tools that are strictly prohibited in the customer environment
• Recent vulnerability assessment reports if available