|
1 | | -# 8. Legal Documentation & Report Writing |
| 1 | +# 8. Legal Documentation & Report Writing |
| 2 | + |
| 3 | +## Common legal documents |
| 4 | + |
| 5 | +➡️ **Sales phase** |
| 6 | + |
| 7 | +Before conducting a penetration test, legal agreements are established to define the relationship between the client and the security testing provider. |
| 8 | + |
| 9 | +- **Mutual Non-Disclosure Agreement (NDA)** |
| 10 | + - Ensures confidentiality of sensitive information. |
| 11 | + - Prevents disclosure of client or tester details without consent. |
| 12 | +- **Master Service Agreement (MSA)** |
| 13 | + - Defines overall business terms and conditions. |
| 14 | + - Covers liability, payment terms, and service responsibilities. |
| 15 | +- **Statement of Work (SOW)** |
| 16 | + - Specifies the scope, objectives, and timeline of the penetration test. |
| 17 | + - Outlines deliverables, methodologies, and exclusions. |
| 18 | +- **Other Documents (sample reports, recommendation letters, etc.)** |
| 19 | + - Provides clients with example reports for reference. |
| 20 | + - Includes references or testimonials for credibility. |
| 21 | + |
| 22 | +➡️ **Before you test** |
| 23 | + |
| 24 | +Key agreements set the rules and expectations for how the penetration test will be conducted. |
| 25 | + |
| 26 | +- **Rules of Engagement (ROE)** |
| 27 | + - Defines **testing scope**, authorized attack methods, and limitations. |
| 28 | + - Establishes **acceptable testing hours**, emergency contacts, and data handling rules. |
| 29 | + - Ensures compliance with **legal and ethical guidelines** to avoid unintended damage. |
| 30 | + |
| 31 | +➡️ **After you test** |
| 32 | + |
| 33 | +Once the penetration test is completed, findings and recommendations are documented. |
| 34 | + |
| 35 | +- **Findings report** |
| 36 | + - Summarizes identified vulnerabilities and security gaps. |
| 37 | + - Provides **risk assessments** and prioritization of discovered threats. |
| 38 | + - Includes **remediation recommendations** to improve security. |
| 39 | + |
| 40 | +These documents ensure **legal protection, clear expectations, and structured reporting** throughout the penetration testing lifecycle. |
| 41 | + |
| 42 | +--- |
| 43 | + |
| 44 | +## Pentest report writing |
| 45 | + |
| 46 | +> - Check TCM's video about [Writing a Pentest Report](https://www.youtube.com/watch?v=EOoBAq6z4Zk) with the [provided samples](https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report) |
| 47 | +
|
| 48 | +**Demo Company - Security Assessment Findings Report** |
| 49 | + |
| 50 | +- **Clear & Structured:** Well-organized with sections like Executive Summary, Findings, and Recommendations for easy navigation. |
| 51 | +- **Professional & Concise:** Uses **formal language**, **bullet points**, and **tables** to present key information efficiently. |
| 52 | +- **Balanced Detail:** Combines **technical depth for IT teams** with **simplified summaries for executives**. |
| 53 | +- **Actionable Insights:** Findings are **supported with evidence**, and recommendations are **clear, prioritized, and practical**. |
| 54 | + |
| 55 | +The report is **well-written, easy to follow, and effective** for both **technical and non-technical audiences**. |
| 56 | + |
| 57 | +--- |
| 58 | + |
0 commit comments