Penetration Testing Agreement

Penetration Testing Agreement Template

This Penetration Testing Agreement (“Agreement”) is entered into on [Date], by and between:

Client:
Name: __________________________
Address: __________________________
Email: __________________________
Phone: __________________________

Service Provider:
Name: __________________________
Address: __________________________
Email: __________________________
Phone: __________________________

Collectively referred to as the “Parties.”

1. Purpose

The purpose of this Agreement is to authorize and govern penetration testing services to identify and mitigate potential vulnerabilities in the Client’s systems and infrastructure.

2. Scope of Work

The testing will cover the following:

• Networks: [Specify IP ranges, servers, routers, etc.]

• Applications: [Specify web apps, APIs, mobile apps, etc.]

• Physical security (if applicable).

• Social engineering attempts (if applicable).

Specific exclusions: [e.g., production databases, critical systems not to be tested].
A detailed scope of work is attached as Exhibit A.

3. Testing Schedule

• Start date: [Date]

• End date: [Date]
  Testing will occur during the following hours to minimize operational disruptions: [Timeframe].

4. Methodology

The Service Provider shall conduct testing using recognized ethical hacking techniques and frameworks such as OWASP, NIST, or ISO standards.
No destructive or disruptive actions shall be taken without prior written consent.

5. Reporting

• A preliminary report will be provided within [X days] of test completion.

• A final comprehensive report, including vulnerabilities and remediation recommendations, will be delivered within [X days].

• Reports shall be treated as confidential information.

6. Confidentiality

Both Parties agree to maintain strict confidentiality regarding all information accessed or disclosed during the engagement, including vulnerabilities, system data, and results.

Confidential information shall not be shared with third parties without prior written consent.

7. Legal Authorization

The Client grants explicit legal authorization to the Service Provider to conduct penetration testing as defined in this Agreement.
The Client assumes responsibility for securing any necessary third-party consents (e.g., from hosting providers).

8. Liability Limitations

• The Service Provider’s liability is limited to the total fees paid under this Agreement.

• The Client agrees to indemnify the Service Provider against claims arising from the Client’s misuse of findings or failure to implement remediation steps.

9. Fees and Payment

• Total fee: $[Amount]

• Payment terms: [X]% due upon signing, [X]% upon delivery of final report.
  Late payments are subject to [X]% interest per month.

10. Termination

Either Party may terminate this Agreement with [X days] written notice.
Upon termination, the Client shall pay for all work completed up to the termination date.

11. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of [State/Country].

12. Entire Agreement

This document constitutes the entire agreement between the Parties and supersedes all prior negotiations and agreements.

Signatures

Client Signature: ____________________________ Date: _________
Printed Name & Title: _________________________________________

Service Provider Signature: ____________________________ Date: _________
Printed Name & Title: _________________________________________