Pre-engagement

For the pre-engagement process is necessary to stipulate the parameters, commitments, tasks, scope, limitations, and related agreements documented in writing.

Some of the usual documents we found for this purpose, and that are defined in the pre-engagement meeting and kick-off meeting, are the following:

• NDA (Non-Disclosure Agreement): Specifies the boundaries about the confidentiality and permissions to share the information received with third parties. Could be unilateral, bilateral, or multilateral

• Scoping Questionnaire: Defines the services we are going to provide to the client. In this, we ask specifically for details about the procedures and written results of the testing

• Scoping Document: Summarize the information of the Scoping Questionnaire

• SoW: Scope of Work or Penetration Testing Proposal, usually the contract that specifies the actions and scope of the assessment

• RoE: Rules of Engagement, a document that is created at the initial stages of a penetration testing engagement. This document consists of three main sections:

  • Permissions: Give explicit and legal permission for the engagement to be carried out

  • Test Scope: Annotate specific targets of a network to which the engagement should apply

  • Rules: Define exactly the techniques that are permitted during the engagement

• Contractors Agreement: Used in physical and social engineering testing to justify our action

• Reports: Summarize all the information after doing the Pen-Testing.