PENETRATION TESTING AUTHORIZATION
RULES OF ENGAGEMENT AND AUTHORIZATION AGREEMENT
SECTION 1: PARTIES AND ENGAGEMENT
1.1 Client Information (Authorizing Organization)
| Field | Information |
|---|---|
| Organization Name | |
| Legal Entity Name | |
| Address | |
| Primary Contact | |
| Title | |
| Phone | |
1.2 Testing Provider Information
| Field | Information |
|---|---|
| Company Name | |
| Address | |
| Primary Tester | |
| Title | |
| Phone | |
| Certifications | ☐ OSCP ☐ CREST ☐ GPEN ☐ CEH ☐ Other: _______ |
1.3 Engagement Details
| Field | Information |
|---|---|
| Engagement ID/Reference | |
| Master Agreement Reference | |
| Statement of Work Reference | |
| Engagement Start Date | |
| Engagement End Date | |
| Testing Window | [DATES/TIMES] |
SECTION 2: AUTHORIZATION
2.1 Authorization Statement
[CLIENT ORGANIZATION NAME] ("Client") hereby authorizes [TESTING PROVIDER NAME] ("Tester") to conduct penetration testing activities as described in this document against the systems, networks, and applications specified in Section 3 (Scope).
This authorization is granted in accordance with:
☐ The Master Services Agreement dated [DATE]
☐ The Statement of Work dated [DATE]
☐ This Rules of Engagement document
2.2 Scope of Authorization
The Tester is authorized to:
☐ Attempt to identify security vulnerabilities in the systems defined in Section 3
☐ Exploit identified vulnerabilities to the extent permitted in Section 4
☐ Document findings and provide recommendations
☐ Retain evidence necessary for the final report (subject to data handling requirements)
2.3 Authorizing Authority
The undersigned has the authority to authorize penetration testing activities against the systems and networks described in this document.
Authorized Representative:
Name: _______________________________
Title: _______________________________
Signature: _______________________________
Date: _______________________________
SECTION 3: SCOPE DEFINITION
3.1 Testing Type
☐ External Penetration Test - Testing from external network perspective
☐ Internal Penetration Test - Testing from internal network perspective
☐ Web Application Penetration Test - Testing of web applications
☐ Mobile Application Penetration Test - Testing of mobile applications
☐ Wireless Penetration Test - Testing of wireless networks
☐ Social Engineering - Phishing, vishing, physical access attempts
☐ Red Team Engagement - Full-scope adversary simulation
☐ Other: _______________________________
3.2 Testing Methodology
☐ Black Box - No prior knowledge provided to testers
☐ Gray Box - Limited information provided (credentials, documentation)
☐ White Box - Full information access (source code, architecture diagrams)
3.3 In-Scope Systems and Networks
3.3.1 Networks
| Network/Subnet | Description | Location | Special Considerations |
|---|---|---|---|
3.3.2 IP Addresses/Ranges
| IP Address/Range | Description | Owner | Production/Test |
|---|---|---|---|
| ☐ Prod ☐ Test | |||
| ☐ Prod ☐ Test | |||
| ☐ Prod ☐ Test | |||
| ☐ Prod ☐ Test | |||
| ☐ Prod ☐ Test |
3.3.3 Domains/URLs
| Domain/URL | Description | Application Type | Special Considerations |
|---|---|---|---|
3.3.4 Applications
| Application Name | Version | Environment | Platform |
|---|---|---|---|
| ☐ Prod ☐ Test ☐ Dev | |||
| ☐ Prod ☐ Test ☐ Dev | |||
| ☐ Prod ☐ Test ☐ Dev |
3.3.5 Cloud Environments (if applicable)
| Cloud Provider | Account/Tenant | Region | Resources In-Scope |
|---|---|---|---|
| ☐ AWS ☐ Azure ☐ GCP |
3.4 Explicitly Out-of-Scope
The following systems, networks, and activities are NOT authorized for testing:
3.4.1 Out-of-Scope Systems
| System/Network | Reason |
|---|---|
3.4.2 Third-Party Systems
☐ Third-party hosted systems are out of scope unless separate authorization is obtained
☐ Cloud provider infrastructure (underlying AWS/Azure/GCP systems) is out of scope
☐ Shared hosting environments affecting other tenants are out of scope
3.4.3 Out-of-Scope Activities
☐ Denial of Service (DoS/DDoS) attacks
☐ Physical security testing (unless specifically authorized below)
☐ Social engineering against individuals (unless specifically authorized below)
☐ Testing outside defined IP ranges/systems
☐ Testing outside defined time windows
☐ Actions that could cause data loss or corruption
☐ Other: _______________________________
SECTION 4: RULES OF ENGAGEMENT
4.1 Testing Windows
4.1.1 Authorized Testing Hours
| Day(s) | Start Time | End Time | Timezone |
|---|---|---|---|
☐ Testing outside these windows requires prior written approval
☐ 24/7 testing is authorized
4.2 Testing Restrictions
4.2.1 Prohibited Activities
The following activities are NOT authorized under any circumstances:
☐ Denial of Service attacks against production systems
☐ Data destruction or modification of production data
☐ Installation of persistent backdoors
☐ Exfiltration of actual customer/employee personal data
☐ Testing of third-party systems without separate authorization
☐ Physical damage to systems or facilities
☐ Activities that violate applicable laws
☐ Accessing or modifying systems outside defined scope
☐ Distribution of malware to end users
☐ Other: _______________________________
4.2.2 Conditional Activities (Require Approval)
The following activities require explicit approval during the engagement:
| Activity | Authorized | Conditions |
|---|---|---|
| Password cracking | ☐ Yes ☐ No | |
| Brute force attacks | ☐ Yes ☐ No | Rate limits: _______ |
| Exploitation of critical systems | ☐ Yes ☐ No | Notification required: ☐ |
| Privilege escalation | ☐ Yes ☐ No | |
| Lateral movement | ☐ Yes ☐ No | |
| Data exfiltration (simulated) | ☐ Yes ☐ No | Dummy data only: ☐ |
| Physical access testing | ☐ Yes ☐ No | |
| Phishing campaigns | ☐ Yes ☐ No | |
| Vishing (phone) campaigns | ☐ Yes ☐ No |
4.3 Social Engineering Authorization (if applicable)
☐ Social engineering testing is NOT authorized
☐ Social engineering testing is authorized with the following parameters:
Phishing:
☐ Authorized targets: ☐ All employees ☐ Specific groups: _______
☐ Maximum emails: _______
☐ Pre-approved scenarios: ☐ Yes ☐ No
☐ Credential harvesting: ☐ Yes ☐ No
☐ Payload delivery: ☐ Yes ☐ No
Vishing (Phone):
☐ Authorized
☐ Maximum calls: _______
☐ Pre-approved scripts: ☐ Yes ☐ No
Physical:
☐ Tailgating authorized
☐ Facility access testing authorized
☐ Badge cloning authorized
☐ Lock bypass authorized
4.4 Data Handling Requirements
4.4.1 Sensitive Data
☐ Testers shall NOT access, store, or exfiltrate actual sensitive data (PII, PHI, PCI, etc.)
☐ If sensitive data is encountered, testers shall document the finding without capturing actual data
☐ Screenshots containing sensitive data shall be redacted
4.4.2 Evidence Retention
☐ Evidence shall be encrypted at rest using AES-256 or equivalent
☐ Evidence shall be transmitted only via encrypted channels
☐ Evidence shall be destroyed within [30] days of engagement completion
☐ Client may request immediate destruction of evidence upon engagement completion
4.4.3 Confidentiality
☐ All findings are confidential and shall not be disclosed to third parties
☐ Engagement details shall not be used for marketing without Client approval
SECTION 5: COMMUNICATIONS
5.1 Primary Contacts
Client Contacts
| Role | Name | Phone | Availability | |
|---|---|---|---|---|
| Primary Technical Contact | ||||
| Secondary Technical Contact | ||||
| Executive Sponsor | ||||
| Security Team Lead |
Tester Contacts
| Role | Name | Phone | Availability | |
|---|---|---|---|---|
| Lead Tester | ||||
| Engagement Manager | ||||
| Escalation Contact |
5.2 Communication Protocols
5.2.1 Regular Updates
☐ Daily status updates via email
☐ Weekly status calls
☐ Real-time updates via [Slack/Teams/Other]: _______
☐ Other: _______________________________
5.2.2 Critical Finding Notification
Critical findings shall be reported immediately via:
☐ Phone to Primary Technical Contact
☐ Encrypted email to [EMAIL]
☐ Other: _______________________________
Critical Finding Definition:
☐ Remote code execution vulnerabilities
☐ Active compromise indicators
☐ Data breach potential
☐ System instability
☐ Other: _______________________________
5.3 Escalation Procedures
If Testing Causes System Issues:
- Immediately stop testing activity
- Contact Primary Technical Contact: [PHONE]
- If unavailable, contact Secondary Contact: [PHONE]
- Document the activity and impact
- Await authorization to resume
Emergency Stop Procedure:
The following phrase shall immediately halt all testing activities:
Emergency Stop Code Word: _______________________________
SECTION 6: TECHNICAL DETAILS
6.1 Tester Source IPs
All testing shall originate from the following IP addresses:
| IP Address | Tester Name | Location |
|---|---|---|
☐ These IPs may be whitelisted for testing purposes
☐ These IPs shall NOT be whitelisted (black box test)
6.2 Credentials Provided (Gray/White Box)
| System | Username | Access Level | Purpose |
|---|---|---|---|
☐ Credentials to be provided via secure channel: _______________________________
6.3 VPN/Remote Access (Internal Testing)
| Access Method | Connection Details |
|---|---|
| VPN | |
| Jump Host | |
| Other |
6.4 Testing Tools
The following tools are authorized for use:
☐ Nmap/network scanners
☐ Vulnerability scanners (Nessus, Qualys, etc.)
☐ Web application scanners (Burp Suite, OWASP ZAP, etc.)
☐ Exploitation frameworks (Metasploit, etc.)
☐ Password cracking tools
☐ Social engineering tools
☐ Custom tools (to be disclosed): _______________________________
☐ All tools subject to Client approval
SECTION 7: DELIVERABLES
7.1 Report Requirements
☐ Executive Summary
☐ Methodology description
☐ Detailed findings with evidence
☐ Risk ratings (CVSS or custom)
☐ Remediation recommendations
☐ Prioritized remediation roadmap
☐ Technical appendices
7.2 Report Delivery
| Deliverable | Format | Due Date |
|---|---|---|
| Draft Report | [PDF/Word] | |
| Final Report | [PDF/Word] | |
| Presentation | [PPT] | |
| Retest (if applicable) | [Report] |
7.3 Report Classification
Report classification: ☐ Confidential ☐ Restricted ☐ Other: _______
Distribution limited to: _______________________________
SECTION 8: LEGAL AND LIABILITY
8.1 Liability Limitations
☐ Tester liability is limited as defined in the Master Services Agreement
☐ Client acknowledges inherent risks of penetration testing
☐ Client maintains appropriate backups and recovery capabilities
8.2 Indemnification
[Reference Master Services Agreement or include specific terms]
8.3 Insurance Requirements
☐ Tester maintains professional liability insurance: $_______
☐ Tester maintains cyber liability insurance: $_______
☐ Certificate of Insurance provided: ☐ Yes ☐ No
8.4 Legal Compliance
☐ Tester shall comply with all applicable laws
☐ Tester shall not engage in activities that could violate Computer Fraud and Abuse Act (CFAA) or equivalent laws
☐ This authorization is intended to provide legal protection for authorized testing activities
SECTION 9: SIGNATURES AND AUTHORIZATION
9.1 Client Authorization
I am authorized to grant permission for penetration testing of the systems described in this document. I confirm that the systems are owned by or under the control of [CLIENT ORGANIZATION NAME] and that no third-party authorization is required for testing unless otherwise noted.
Authorized Representative:
Printed Name: _______________________________
Title: _______________________________
Signature: _______________________________
Date: _______________________________
Secondary Authorization (if required):
Printed Name: _______________________________
Title: _______________________________
Signature: _______________________________
Date: _______________________________
9.2 Tester Acknowledgment
[TESTING PROVIDER NAME] acknowledges receipt of this authorization and agrees to conduct testing in accordance with the rules of engagement defined herein.
Tester Representative:
Printed Name: _______________________________
Title: _______________________________
Signature: _______________________________
Date: _______________________________
SECTION 10: APPENDICES
Appendix A: Detailed Network Diagrams
[Attach or reference network diagrams]
Appendix B: Asset Inventory
[Attach detailed asset list if applicable]
Appendix C: Cloud Provider Authorization Requirements
AWS:
☐ AWS Penetration Testing Policy acknowledged
☐ No pre-authorization required for most services
Azure:
☐ Microsoft Penetration Testing Rules of Engagement acknowledged
☐ No pre-authorization required
GCP:
☐ Google Cloud Platform AUP acknowledged
☐ No pre-authorization required
Appendix D: Change Log
| Date | Change Description | Authorized By |
|---|---|---|
DOCUMENT CONTROL
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | [DATE] | [NAME] | Initial version |
This document authorizes penetration testing activities and should be treated as confidential. Retain this document for the duration of the engagement plus [3] years.
Do more with Ezel
This free template is just the beginning. See how Ezel helps legal teams draft, research, and collaborate faster.
AI that drafts while you watch
Tell the AI what you need and watch your document transform in real-time. No more copy-pasting between tools or manually formatting changes.
- Natural language commands: "Add a force majeure clause"
- Context-aware suggestions based on document type
- Real-time streaming shows edits as they happen
- Milestone tracking and version comparison
Research and draft in one conversation
Ask questions, attach documents, and get answers grounded in case law. Link chats to matters so the AI remembers your context.
- Pull statutes, case law, and secondary sources
- Attach and analyze contracts mid-conversation
- Link chats to matters for automatic context
- Your data never trains AI models
Search like you think
Describe your legal question in plain English. Filter by jurisdiction, date, and court level. Read full opinions without leaving Ezel.
- All 50 states plus federal courts
- Natural language queries - no boolean syntax
- Citation analysis and network exploration
- Copy quotes with automatic citation generation
Ready to transform your legal workflow?
Join legal teams using Ezel to draft documents, research case law, and organize matters — all in one workspace.