During a pentest, the database containing customer information is described as what in terms of testing focus?

In penetration testing, you prioritize effort based on asset value and risk. A database that stores customer information is a high-value asset because it contains sensitive data and represents a major risk if breached. So it should be described as a high-priority focus within the testing scope, guiding you to rigorously test controls around access and authentication, data protection at rest and in transit, database configurations, patching, incident monitoring, and the potential for data exfiltration or tampering. Treating it as routine or incidental would underemphasize the risk and likely miss critical weaknesses, and labeling it external or outside the scope wouldn’t reflect the need to protect that data within the testing effort.