// notes/ Report & Methodology
📝

Common Legal Documents

<figure<img src="/files/6Jg4OreFIOeCGgPLUk0q" alt=""<figcaption</figcaption</figure

#report writing#adot8
source · oscp.adot8.com · report-writing/common-legal-documents

Common Legal Documents

<figure><img src="/files/6Jg4OreFIOeCGgPLUk0q" alt=""><figcaption></figcaption></figure>

{% hint style="info" %} You probably wont see too much of the Sales documents unless you're higher up. They contain contract agreements and sales information {% endhint %}

Sales Documents

  • Mutual Non-Disclosure Agreement (NDA)
    • Even before the contract is signed, the client will make you sign an NDA so you cant tell anybody about things specific to their network
    • Will come early on in sales process or right before ROE
    • Find out whats the goal and what they want done
  • Master Service Agreement (MSA)
    • Contractual Document
    • Specify performance objectives and outline the responsibilities of both parties
    • Blanket agreement that covers multiple contracts; legal mumbo jumbo
  • Statement of Work
    • Specific to one contract
    • Specify activities, deliverables, timelines, quotes

{% hint style="info" %} We will do an AD network pentest starting from this day and ending on this day; we will deliver you a findings report at the end and it'll cost this much {% endhint %}

  • Sample Report, Recommendation Letters, etc.

Before you test

  • Rules of Engagement or CYA (cover yo ass)
    • Covers specifics of the testing
    • Says what you can and can't do
    • Commonly DoS attacks are off the table because you dont want to disrupt their work (ALWAYS)
    • Social engineering is usually off the table as well as it is usually its own test by itself

{% hint style="danger" %} DO NOT START A PENETRATION TEST UNTIL THE ROE IS REVIEWED AND SIGNED {% endhint %}