Mutual Non-Disclosure Agreement (NDA)

I'm not going to take anything that I've learned and disclose it to anyone else. We sign this agreement before even meeting to the client. Then we discuss things like what IP address needs to be tested, what are the ranges, how many of them are there, what's your goal. When we talk about this we are put two items:

• Master Service Agreement (MSA): A contractual document and it basically specifies the performance objective and kind of outline the responsibility of both of the parties.
• Statement of Work (SOW): MSA is like a blanked agreement that cover multiple contracts while SOW is specific to a contract itself. In SOW, we are talking about activities, deliverables, timelines, how much is its gonna pay.

For Example: Let's say we are gonna perform a wireless penetration test and we are going to do this by this deadline and we are gonna to deliver you a report when we are done and its gonna cost you this much money. If the potential client agrees to that, they are gonna sign the SOW and MSA.

Other: Sample Report, Recommendation Letter, etc.: A lot of client asks to see a sample report and you might need a recommendation letter.

Before You Test

• Rule of Engagement (ROE): Here we covers the specific of our testing. If in the Sales we decided that we will scan for 100 IPs then here we will get the exact IP address that we are gonna be testing, we are gonna have that in our ROE.
• What can you attack specifically the IP address
• What can you do, what you can't do. Usually we can't do DOS attack, also we can't do social engineering.

<aside> 🚨 Do not start your penetration test until that ROE is signed. No Matter What.

</aside>

After You Test

Finding Report: It's gonna detail what we have found from a high level and a technical level.

Report Writing: https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report