Which type of test must be explicitly stated prior to starting?

Tests that could affect service availability require explicit authorization before you begin. A Denial of Service Check is designed to overwhelm or exhaust resources, which can cause outages or degraded performance across systems and even affect other users. Because of this potential for disruption, it must be clearly stated and approved in the engagement’s rules of engagement before any testing starts. Non-disruptive activities like vulnerability scanning and port sweeps are typically covered by the overall engagement scope and don't inherently aim to disrupt services, so they usually don’t require a separate, explicit permission in the same way a DoS test does. Penetration test verification is about confirming findings and validating controls, and while it should be scoped, it isn’t inherently aimed at causing outages.