Penetration testing scope
Testing has limits
This is where any lack of secure coding knowledge starts to get found out and this is where a penetration tester starts to earn their keep.
Based on your knowledge of the clients, adding some buffer can help to stay on schedule.
If they have a JBoss server in scope, know what are the most common issues with this server and what you will check they may ask you.
You will waste time waiting for the answer.
To get started, you can keep a list of all the pentests you did with:
Total coverage is a myth
How long are they willing to spend doing it?
What do nearly all these frameworks not handle out of the box?
The issues got addressed and some changes were made to the peer review process to prevent a reoccurence, all good.
Loosing an hour every day will slow down your testing.
What is their motivation?