During scoping, decisions on potentially dangerous tests should be documented in the scoping document. Which phrasing best describes this requirement?

The idea being tested is documenting risk-heavy decisions in the scoping process. The best phrasing is to include any potentially dangerous exploits in the scoping document so those actions are clearly identified, reviewed, and authorized before you proceed. This ensures that stakeholders understand what could cause disruption or harm, and it creates a formal approval path, limits liability, and establishes clear boundaries for testing. If you skip documenting these tests, you lose the needed risk management and accountability that scoping is meant to provide. Waiting to document only after the tests are done misses the opportunity for pre-approval and mitigation, and proceeding with all tests regardless ignores safety and consent requirements. By explicitly noting dangerous exploits in the scoping document, you align testing with authorization, risk tolerance, and remediation planning, making the engagement safer and more responsible.