In scope

• Authorized testing
• Passive observation
• Log analysis
• Behavioral failure modes

Out of scope

• Exploit weaponization
• Active scanning without authorization
• Denial-of-service testing
• Data exfiltration