Common legal documents

Sales

Mostly for business

• Mutual Non-Disclosure Agreement - NDA
  • We do not use or share data collected during the test
• Master Services Agreement - MSA
  • Specify objectives and responsibilities
• Statement of Work - SOW
  • Deadlines, type, price, what’s reported
• Other: Sample Report, Recommendation Letters, etc.

Before you test

Rule of Engagement - ROE - cover what can you do, what can’t you do. DDOS and Social Engineering are often prohibited and depends on other type of test. Never start before have sign this since it protect you.

Findings Report

https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report

TCMS-Demo-Corp-Security-Assessment-Findings-Report.pdf

Few warning closes, condentiality, disclaimer, contact info, overview, etc

In the report define everything, severity notation, definition, process, scope (and exclusion) etc.

Divide into Executive and Attack summary. Executive will cover the report with child word in order that anybody can understand it.

Point strengths and weakness can be interesting.

Chart to quickly point overview the result.

Proof of concept of attacks, with censored result to keep confidentiality and remediation process.

Provide all result in other documents. Details critical vulnerabilities, and fly other giving details info in other files.