1) Start with policy & approvals (don’t skip this)
Get written authorization. Scans should be approved by the asset owner, infrastructure/ops lead, and security manager.
Define scope and rules of engagement. List IP ranges, ports, systems to exclude (critical systems, POS, medical devices)...
