Before doing a vulnerability test, a security employee must ensure that ________.

Formal authorization with a defined scope is essential before performing vulnerability testing. A written contract or agreement outlines exactly which systems can be tested, what methods are allowed, when the testing can occur, how results will be handled, and who must be notified. This protects both the tester and the organization by establishing legal permission, preventing scope creep, and clarifying data handling and remediation responsibilities. Relying on a job description isn’t enough because it may not grant permission for a specific engagement, and assuming no damage will occur ignores real risks since testing can impact availability or integrity. Conducting a test as a surprise without proper approvals undermines governance and can be illegal or unethical.