Pen test scoping defines exactly what systems are in scope, what attacks are permitted, timing restrictions, and rules of engagement — protecting both tester and client legally.
Always get a written Statement of Work (SoW) and Rules of Engagement (RoE) before starting. "I had permission" without documentation is not a legal defense. Scope creep = immediately stop and get authorization updated.