Project Scoping
A well-defined scope is critical for project success. FlexDuty uses an AI-assisted scoping process to help you articulate your needs clearly.The Scoping Process
1
Start Scoping Chat
Initiate a conversation with our AI scoping assistant
2
Answer Questions
Provide details about your security needs
3
AI Generates Scope
Our system creates a structured project scope
4
Review & Edit
Refine the scope to match your exact needs
5
Submit for Review
Platform ops reviews and approves your project
Starting a New Project
- Log in to your dashboard
- Click “New Project” or “Post a Project”
- The scoping chat will begin
Scope Sections
A complete scope includes:Project Overview
| Field | Description | Tips |
|---|---|---|
| Title | Brief project name | Be specific: “Web App Pentest” not “Security Test” |
| Summary | 1-2 paragraph overview | Describe the goal and context |
| Project Type | Category of work | Select the best fit |
Technical Details
Target Systems
Target Systems
- What systems will be tested/assessed?
- URLs, IP ranges, applications
- Cloud environments (AWS, Azure, GCP)
- Number of targets
Technology Stack
Technology Stack
- Programming languages used
- Frameworks (React, .NET, etc.)
- Database systems
- Cloud services
- Third-party integrations
Testing Requirements
Testing Requirements
- Black box, gray box, or white box
- Authenticated or unauthenticated
- Specific areas of focus
- Excluded areas
Compliance & Standards
If your project involves compliance:- SOC 2 Type I or II
- ISO 27001
- PCI-DSS
- HIPAA
- GDPR
- Industry-specific regulations
Timeline & Budget
| Field | Guidance |
|---|---|
| Start Date | When should work begin? |
| Duration | Expected length (weeks/months) |
| Deadline | Hard deadline if any |
| Budget Range | Your expected investment |
| Hourly vs Fixed | Preference for pricing model |
Deliverables
Define what you expect to receive:- Executive summary
- Technical report
- Vulnerability details
- Remediation guidance
- Compliance evidence
- Presentation to stakeholders
Positions Available
New: Specify how many experts you need:- Single expert for focused projects
- Multiple experts for large engagements
- Team composition preferences
Tips for Better Scopes
Be Specific
- Good
- Too Vague
“Web application penetration test for our customer-facing SaaS platform. The application has 50+ API endpoints, user authentication with SSO, and handles payment processing. We need OWASP Top 10 coverage and a report suitable for SOC 2 evidence.”
Include Context
Why are you doing this project?
What triggered the need?
Who will use the deliverables?
Are there compliance requirements?
Define Boundaries
Clearly state:- What’s IN scope
- What’s OUT of scope
- Testing windows
- Rate limiting or restrictions
- Production vs. staging
Set Realistic Expectations
| Project Type | Typical Duration | Budget Range |
|---|---|---|
| Web App Pentest (Small) | 1-2 weeks | 15,000 |
| Web App Pentest (Large) | 2-4 weeks | 40,000 |
| Network Assessment | 1-3 weeks | 30,000 |
| Compliance Gap Analysis | 2-4 weeks | 35,000 |
| Security Architecture Review | 1-2 weeks | 20,000 |
Scope Review Process
After you submit:-
Initial Review (1-2 business days)
- Platform ops reviews for completeness
- Checks for clarity and feasibility
-
Clarifications (if needed)
- You may be asked for more details
- Quick turnaround expected
-
Approval
- Scope is approved and published
- Experts can begin applying
Downloading Your Scope
Once finalized, you can download your scope:- PDF format: For sharing with stakeholders
- DOCX format: For internal editing
Modifying Scope
Before Expert Selection
You can freely edit the scope:- Go to your project
- Click “Edit Scope”
- Make changes
- Re-submit for review
After Work Begins
Scope changes require:- Discussion with expert and platform ops
- Agreement on timeline/budget impact
- Formal scope change documentation
Common Mistakes
Scope too broad
Scope too broad
“Test everything” leads to shallow coverage. Focus on priorities.
Missing technical details
Missing technical details
Experts need specifics to provide accurate estimates.
Unrealistic timeline
Unrealistic timeline
Quality work takes time. Allow adequate duration.
Undefined deliverables
Undefined deliverables
Be explicit about what reports/artifacts you need.