Checklists

Pentest Scoping Checklist

Before requesting quotes, security teams should inventory API endpoints, GraphQL operations, authentication methods, user roles, integrations, and infrastructure dependencies that affect testing effort. This checklist helps SaaS teams arrive at a scoping call with the information needed to estimate pentest scope, timelines, and cost more accurately.

Download document

Key Takeaways

API endpoints and GraphQL operations are the most reliable units for estimating pentest scope.
REST API counts should be based on OpenAPI specifications, route dumps, traffic captures, or feature estimates when necessary.
Authentication methods such as SSO, MFA, API keys, and magic links increase testing effort because each requires separate validation.
User roles and permission levels significantly affect authorization testing requirements.
Third-party integrations, cloud infrastructure, and internal services can expand the attack surface beyond the application itself.
Unauthenticated endpoints should be identified separately because they are often high-priority attack surfaces.
Bringing an endpoint and operation count to a scoping call helps vendors produce faster and more accurate pentest estimates.

1 REST API Endpoints

Count your REST API endpoints

Use the most accurate source available:

•OpenAPI / Swagger specification

•Route dump (rails routes, artisan route:list, manage.py show_urls)

•Proxy capture of application traffic

•Fallback: estimate features × 5

Path + HTTP method = 1 endpoint

GET /users and POST /users are two endpoints, not one.

2 GraphQL Operations

Count your GraphQL operations

Introspection query or schema file. Count every field under Query and every field under Mutation.

Report as: X queries + Y mutations = Z total

One GraphQL URL ≠ one endpoint. Operation count is what drives scope.

3 Effort Multipliers — document these before your call

List every authentication method

Password, SSO (Okta, Auth0), magic links, API keys, MFA — each has a distinct vulnerability profile requiring separate testing.

Count distinct user roles / permission levels

Admin, standard, read-only, unauthenticated. Authorization must be verified per role on every sensitive endpoint.

List all third-party integrations

Payment, CRM, analytics, communication tools — e.g. Stripe, Salesforce, HubSpot, Twilio.

List internal and cloud infrastructure dependencies

Internal microservices, S3 buckets, and cloud storage — each is a data boundary that may be internal or external.

Flag unauthenticated endpoints separately

Highest-priority attack surface. Testers focus here first.

4 Before the Scoping Call

Add REST endpoints + GraphQL operations for your base attack surface count

This single number is the most important thing you bring to the scoping call.

Note which counting method you used and flag any uncertainties

e.g. 'OpenAPI spec — may have dead routes' or 'Feature estimate × 5 — rough estimate, not verified against code.'

Scoping Method Reference

Method	Accuracy	Risk
Domains / Subdomains	Low	Misses API logic entirely
Features / User Stories	Medium	Inconsistent estimates
Pages / Screens	Low	Undercounts SPA backends
Endpoints / Operations ✓	High	Most reliable — recommended