Try expanding the scope when discussing the Statment of work with clients (SoW); Real threat actors (TAs) don't have specific scope, Nor attack during work hours. They are not kind and gracious.
- No. of unique APIs
- No. Methods
- Authentication and authorization mechanisms
- Roles and privileges
- WAF enabled?