Which of the following would you typically include in the scope of engagement?

Defining what is in scope is about setting which assets are authorized for testing and form the boundaries of the engagement. You typically include in-scope assets such as IP address ranges, APIs, and cloud resources because these are the components you have explicit permission to assess, document, and report on. This creates a clear, legally safe target set and helps testers plan appropriate methods, tools, and containment measures. Including these assets ensures the engagement stays focused on relevant risk areas and avoids wandering into unapproved territory. Other options either describe items that aren’t routinely part of a security test unless specifically authorized (like only physical devices, which would be part of a physical security assessment if at all) or represent information that shouldn’t be accessed in a test (such as a marketing plan or employee personal data not related to testing) due to privacy, confidentiality, and consent considerations.