What is going to be tested? One of the aspects to be defined is the scope of the test. One often-used test is the network test. In this test the network infrastructure and all the connected systems can be attacked. This does not mean that all systems have to be tested. This is one of the differences between an audit and a penetration test. The network test is the most realistic test in the sense that a hacker will always start by looking for the easiest way in and than expand its influence to other systems. Because of the wide scope of a network test it is advisable to identify a number of key systems that the test will focus on. Another frequently occurring test scope is the test of an Internet site. Often the scope includes attempted firewall break in, attacking the system that hosts the Internet site, the web server that is active on this system and one or more web applications. Sometimes the scope also contains some back-office systems that provide data to the web applications. This test is often combined with a source code review of the web application.