A penetration tester is planning a test that involves scanning for vulnerabilities across a large IP range. The client has provided a list of IPs that are in-scope, but the tester notices that some IPs belong to a third-party company hosting a client application. What should the tester do?
The tester should exclude them and ask the client to obtain permission.
Why this answer
The tester must ensure that all in-scope IPs are authorized. If an IP belongs to a third party, the tester needs written permission from that provider before testing.