Statement of Work — Penetration Test

SoW number

SoW-[####]

Effective date

[Effective Date]

Underlying MSA

Master Services Agreement dated [MSA Date]

Engagement type

Penetration Test · Web application

Fixed fee

USD $4,999 (initial engagement) · USD $1,999 (retest)

This Statement of Work ("SoW") is governed by the Master Services Agreement (the "MSA") between CyberGrid ("Provider") and [Customer Legal Name] ("Customer") dated [MSA Date]. In the event of conflict between this SoW and the MSA, this SoW controls solely with respect to this engagement.

1. Engagement summary

2. In scope

• Web application surface area at [target URL]: unauthenticated paths, authenticated paths (using credentials provided by Customer), public API endpoints exposed via the application.
• OWASP Web Security Testing Guide (WSTG v4.2) coverage as applicable to the target:
  • Information gathering (WSTG-INFO)
  • Configuration & deployment (WSTG-CONF)
  • Identity management (WSTG-IDNT)
  • Authentication (WSTG-ATHN)
  • Authorization (WSTG-ATHZ)
  • Session management (WSTG-SESS)
  • Input validation (WSTG-INPV)
  • Error handling (WSTG-ERRH)
  • Cryptography (WSTG-CRYP)
  • Business logic (WSTG-BUSL) — scoped via Customer-provided workflow descriptions
  • Client-side (WSTG-CLNT)
  • API testing (WSTG-APIT) — for any documented API endpoints
• Reproducible proof-of-concept for each finding.
• CVSS v3.1 scoring + CWE classification + OWASP category mapping for each finding.
• Written report (PDF) with executive summary, methodology coverage matrix, finding detail, remediation guidance, and disclaimers.
• Read-only access to a public attestation URL upon delivery (under the Customer's CyberGrid account).

3. Out of scope (unless explicitly added below)

• Network-layer testing (nmap-style port scans on infrastructure outside the application — quoted separately).
• Internal network or VPN-resident systems (engagement is external-perimeter only).
• Physical security testing.
• Social engineering, phishing, vishing.
• Denial-of-service or load testing.
• Mobile application testing.
• Cloud-account / IAM configuration review.
• Testing of third-party services not owned or controlled by Customer (e.g., SaaS integrations).
• Source-code review (engagement is black-box / grey-box per Section 4).
• Compliance audit (the report is mapped to control frameworks but is not an audit).

Items added to scope: [none / list]. Items explicitly excluded that would otherwise be in scope: [none / list].

4. Testing approach

Approach. Grey-box. Customer provides test-tier credentials (at minimum: one standard user, one administrative user) and any internal documentation needed to understand the application's intended behavior. Provider may also test from an unauthenticated perspective for parts of the surface area.

Testing window. Testing performed during the scheduled period, Monday–Friday, 09:00–18:00 [Customer time zone]. Outside-hours testing only by mutual agreement.

Profile. Non-destructive. No test will intentionally cause data loss, account deletion, or service disruption. If a test technique carries any risk of disruption, Provider will pause and confirm with Customer before executing.

Rate limits. Default ceiling of 50 requests per second per host. Lower limits may be agreed in writing.

Source IP(s). Provider will share a list of source IP ranges before kickoff so Customer may allow them through any WAF, IDS, or rate limiter.

5. Rules of engagement

• Authorization. Customer represents that it owns or has authority to authorize testing of the targets listed above. A signed authorization letter is delivered to Provider before kickoff.
• No data exfiltration. Provider will not exfiltrate Customer data beyond what is necessary to demonstrate a finding. Any data observed in the course of testing is treated as Confidential Information.
• Personal data. If real personal data is present in the test environment, Provider takes additional care; sensitive data is masked in proofs-of-concept where possible.
• Critical findings. Provider notifies Customer the same day for any critical finding, with a proof-of-concept and remediation guidance, rather than wait for final report delivery.
• Cleanup. Test accounts, uploaded files, and any state created during testing are cleaned up at the end of the engagement, or earlier if requested.
• Escalation. If testing reveals an active third-party compromise, Provider stops testing immediately and notifies Customer.

6. Deliverables

• Engagement kickoff document (within 2 business days of SoW execution).
• Same-day notification of any critical-severity finding.
• Draft report (within 3 business days after end of testing window).
• Final report (within 2 business days after Customer's review of the draft).
• Publicly-verifiable attestation URL (issued at final report delivery).
• Remediation guidance per finding, in the report.
• Optional: 30-minute walk-through of the report findings (scheduled at Customer's request).

7. Customer responsibilities

• Provide signed authorization letter prior to kickoff.
• Provide test-tier credentials (standard user + administrative user) and any documentation necessary to understand intended behavior.
• Provide a primary point of contact reachable during the testing window.
• Back up any systems that will be tested prior to the testing window.
• Notify Provider immediately of any production incident during the testing window that may have been caused by testing.
• Allow Provider's source IPs through any WAF, IDS, or rate limiter for the duration of testing.

8. Fees, billing, and payment

Initial engagement. USD $4,999, fixed fee, invoiced upon execution of this SoW; due net thirty (30) days.

Retest (optional). USD $1,999, fixed fee, scheduled separately within twelve (12) months of final report delivery. Retest covers re-testing every finding from this engagement, marking each as fixed / partial / not fixed, issuing a remediation addendum to the original report, and updating the public attestation.

Out-of-scope changes. Any expansion of scope requires a written amendment to this SoW and may incur additional fees, quoted in advance.

9. Retest policy

Customer may schedule a retest at any time within twelve (12) months of final report delivery for the flat fee of USD $1,999. The retest covers re-testing of each finding identified in this engagement. New findings discovered during the retest will be reported but are not within the scope of remediation; if Customer wishes a full new engagement, a new SoW is required.

10. Confidentiality & data handling

All Customer data observed during this engagement is Confidential Information under the MSA / NDA between the Parties. Test data is deleted from Provider's systems within thirty (30) days of final report delivery, except for the report itself and the attestation, which Customer retains.

11. Term

This SoW is effective upon execution by both Parties and terminates upon delivery of the final report (or earlier if the engagement is cancelled per the MSA). Section 9 (Retest policy) survives termination for 12 months.