Contract For Penetration Testing

This contract is agreed upon by all signing parties, and the institutions or businesses they
represent, to agree to penetration testing within the stipulations defined within this contract.

This contract specifies both internal, and external penetration testing which is to be
conducted against all assets defined within this contract.

No assets not defined in this contract will be tested, barring the stipulations defined below.
All assets being tested will be assessed within reasonable strategy, taking account of the time
allotted for testing, and the number of assets, endpoints, and infrastructure to be tested.

If an asset is defined within this contract to be tested, and it is connected or in any way
tethered to another asset which is not included in this test, all signing parties agree to declare
such connections in advance of testing.

If no prior declaration is made, it is agreed upon by all parties, that the penetration test
scope will extend to whatever assets are directly or indirectly connected to assets defined to be
tested (databases, services, loggers, etc.) This stipulation is added due to the nature of
penetration testing and the nature of modern interconnected environments.

An attack or test launched at at an asset defined for testing, potentially can relay or
otherwise proxy tests or attacks – completely unbeknownst to the penetration tester performing
the tests, affecting assets out of scope for the penetration test. This can result in the overall effect
of having attacked an asset that is connected to an in-scope asset, but is out of scope itself. For
purposes of liability, and legality, this contract grants our testing team the authorization to test
those assets which may fall into this category. We will not intentionally attack out of scope
targets, but penetration testing can result in unforeseen outcomes, for which this clause accounts
for.
 All signatories and the institutions or businesses they represent must understand that
penetration testing is in fact mainly comprised of a conducting reconnaissance and attacks on the
assets and infrastructure being tested. This can result in instability, down time, breakages, and
many other adverse effects. You agree to not hold PentestUSA LLC, or the testers provided for
testing, liable for any sort of harm caused by our act of penetration testing.

The PentestUSA LLC. team is not intent on causing damage, nor is it our intention to harm
any network, instead our intention is to assist in finding security issues which an outside attacker
could use to create harm themselves. Our attacks help realize latent vulnerabilities in your
network, so that they can be fixed to improve overall infrastructure and environmental security
within organizations being tested.

The products provided at the end of testing primarily include but are not limited to, a full
penetration test report assessing vulnerabilities found. Similar information may also be provided,
which can assist the institutions being tested to improve their security posture. Additional
information can include proof of concept exploit code, videos showing methodologies, images, or
other proofs which may assist in describing or proving vulnerability or conditions.

Penetration testing will be conducted within the times defined within this contract, barring
certain stipulations. In the event of an act of god (natural disaster), network outages, unforeseen
personal tragedies (hardware failure, medical emergencies, etc), this contract defines that
scheduling or personnel may be changed or modified by PentestUSA staff. With regards to
network outages, we maintain a backup link in the case of network downtime, and have never had
to stop a penetration test on the account of network issues on our end.

The institutions or businesses being tested must maintain reasonable connectivity during
the time allotted for testing. We understand that technical issues can crop up during testing, such
as network downtime experienced at your data-center or issues resulting from your service
provider. We will make accommodation for these scenarios, and are generally flexible for
rescheduling within reason, so long as the issues are cleared up so that testing can resume.

Automated intrusion prevention and automatic firewalling strategies that you employ must
take into account for our testing. Hackers have all day, every day, all year, every year to break
into your networks. Penetration testing however must be done within the time-frame allotted
during this contract. This means that we cannot move slowly with regards our testing. Due to this,
our testing will be much nosier and visible than a typical attacker, as we will be launching many
probes and attacks mostly continuously during the duration of testing. If possible, we request in
advance to be white-listed in intrusion prevention and firewall rule sets for the duration of testing.
This is so that testing is not prevented prematurely due to sensitive automated intrusion
responses. This is not an absolute requirement, but if we are blocked on any day of testing and
not unblocked, the businesses or institutions represented by the signing parties agree to still pay
out the contract in full, as if the entire penetration test was conducted normally.

If any of your assets which are to be tested exist within a data-center, you must seek
approval from those data-centers prior to testing (this includes Amazon, Datapipe, etc.) We will
not test assets hosted by data-centers without full prior authorization, as those hardware assets
belong to them. Most data-centers are happy to provide authorization, and have processes in
place to get authorization prior to tests. No testing on assets will be performed unless this
authorization is gathered prior to testing. Please be sure to get all required authorizations prior to
the start of the contract, as it is very important. This process is the responsibility of the
businesses or institutions hiring our firm, and not our responsibility, as we have no influence over
data-centers or providers we have no business with.

External penetration testing is to be conducted from our premises, remotely over the
internet, targeting your assets. We will provide you our public static IP address prior to testing so
that you can notify relevant staff and personnel

Internal penetration testing is to be conducted within the internal segments of networks to

be tested. The most logical way to perform these tests is via remote VPN. If a VPN is to be used, it
is assumed that a remote OpenVPN compatible server will be made available for testers to proxy
through. If this strategy is employed, no on-site costs will be accrued.

If internal penetration testing is to be conducted in person on-site, the institutions or

businesses being tested agree to pay for all related travel costs for the team being deployed.
These costs includes the cost for airfare, reasonable hotel rental, $50 per-diem for food and
expenses, and economy sized car rental for the duration of testing. Penetration testers are to be
provided all necessary on-site access from the start of work hours till the end of work hours
stipulated within the contract. If testing requires badge or key access, this is agreed to be
provided upon the start of testing. Testers will be expected to be on-site promptly at the start of
the contract, barring act of god, medical emergencies, or unforeseen circumstances.

Upon the delivery of the report products, you assume all responsibility for maintaining the
delivered report, and penetration test products. For security reasons, we do not maintain any
produced data-sets in any digital form for any clients. This is done to protect client data in the
case we are compromised. Not maintaining client details makes our organization a much less
desirable target for attackers, and completely removes incentive to attack us to expose client
details.
 Services and Scheduling

Table 1.1: Internal Penetration Testing

Services Performed:
Products Provided:
ETA for Completion:
Hourly Rate:
Total Contract Price:
Internal Penetration Testing
Internal Penetration Test Report and Relevant Tool Outputs
1 business week for penetration testing
1 business week for analyzing test results and generating PCI/pentest reports.
MARKET RATE
MARKET RATE

Vantage: External from auditor network. No housing/travel costs required.

Table 1.2: External Penetration Testing

Services Performed:
Products Provided:
ETA for Completion
Hourly Rate:
Total Contract Price:
Vantage:
External Penetration Testing
External Penetration Test Report and Relevant Tool Outputs
1 business week for penetration testing
1 business week for analyzing test results and generating PCI/pentest reports.
MARKET RATE
MARKET RATE
External from auditor network, performed via VPN. No housing/travel costs required.

Table 1.3: Basic Information

Client Contact Name(s): CLIENT CONTACTS
Penetration Tester Name(s): TESTER NAMES
Origin IP Address (External): ORIGIN IP

Table 1.4: External Testing Dates Table 1.4: Internal Testing Dates
External Penetration Test Start Date: START DATE Internal Penetration Test Start Date: START DATE
External Penetration Test End Date: END DATE Internal Penetration Test End Date: END DATE

Important Notice: Penetration testing IS NOT software auditing; software auditing is a separate
service wherein software will be audited before deployment. This is a separate service and not to
be confused with penetration testing.
 Approved In-Scope Targets

The following assets shown below have been defined and approved for penetration testing.
They are to be treated as targets for testing, and the businesses or institutions being tested grant
full approval for these targets to be assessed during the full duration of the contract.

Domain Names:
[domain names are listed here]

External IP Addresses:
[External IP addresses are listed here.]

Internal IP Addresses:
[Internal IP addresses are listed here.]
 Agreement Signatures and Dates
All parties signing here agree to all terms and stipulations defined within this contract, and
verify they represent and have the authority required to execute this contract on behalf of the
businesses or institutions being provided services.

___________________________ ________________________
Client Signature Date
(BUSINESS NAME)

___________________________ ________________________
Provider Signature Date
(PentestUSA LLC.)