Out of Scope Asset

An out of scope asset is excluded from a security program due to ownership, sensitivity, operational risk, legal restrictions, or business limitations. Researchers should avoid testing such assets even if they appear connected to the organization. Clearly defining out of scope assets helps prevent unauthorized activity, protects third-party systems, reduces disruption risk, and maintains trust between organizations and security researchers.