// notes/ Report & Methodology
📝
Common Legal Documents
<figure<img src="/files/6Jg4OreFIOeCGgPLUk0q" alt=""<figcaption</figcaption</figure
#report writing#adot8
source · oscp.adot8.com · report-writing/common-legal-documents ↗Common Legal Documents
<figure><img src="/files/6Jg4OreFIOeCGgPLUk0q" alt=""><figcaption></figcaption></figure>{% hint style="info" %} You probably wont see too much of the Sales documents unless you're higher up. They contain contract agreements and sales information {% endhint %}
Sales Documents
- Mutual Non-Disclosure Agreement (NDA)
- Even before the contract is signed, the client will make you sign an NDA so you cant tell anybody about things specific to their network
- Will come early on in sales process or right before ROE
- Find out whats the goal and what they want done
- Master Service Agreement (MSA)
- Contractual Document
- Specify performance objectives and outline the responsibilities of both parties
- Blanket agreement that covers multiple contracts; legal mumbo jumbo
- Statement of Work
- Specific to one contract
- Specify activities, deliverables, timelines, quotes
{% hint style="info" %} We will do an AD network pentest starting from this day and ending on this day; we will deliver you a findings report at the end and it'll cost this much {% endhint %}
- Sample Report, Recommendation Letters, etc.
Before you test
- Rules of Engagement or CYA (cover yo ass)
- Covers specifics of the testing
- Says what you can and can't do
- Commonly DoS attacks are off the table because you dont want to disrupt their work (ALWAYS)
- Social engineering is usually off the table as well as it is usually its own test by itself
{% hint style="danger" %} DO NOT START A PENETRATION TEST UNTIL THE ROE IS REVIEWED AND SIGNED {% endhint %}