A penetration tester is reviewing the Statement of Work (SOW) before starting an engagement with a new client. The SOW outlines the objectives, deliverables, timelines, and milestones for the penetration test. Which of the following would MOST likely be specified in the SOW to define the extent of the penetration test?
You selected this option
The risk assessment report template to be used for presenting findings to the client post engagement.
You selected this option
The types of attacks the penetration tester is authorized to perform, such as social engineering or network scanning.
You selected this option
Service performance metrics that the penetration testing team must adhere to, as per the previously defined service-level agreement (SLA).
You selected this option
The confidentiality agreements outlined in the non-disclosure agreement (NDA) prepared separately by legal teams.
The SOW includes details of the tasks and responsibilities of the penetration testing team. Specifying the types of attacks allowed (e.g., social engineering, network scanning, etc.) is important to ensure both the client and the penetration tester understand the boundaries and methodologies that can be employed during the test. Conversely, an NDA relates to confidentiality agreements, an SLA to service performance metrics, and a risk assessment report to findings after an engagement, rather than the pre-defined tasks of the penetration test itself.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the typical types of attacks specified in a SOW for penetration testing?
Open an interactive chat with Bash
Why is it important to specify attack types in the SOW?
Open an interactive chat with Bash
What is the significance of distinguishing between SOW, NDA, and SLA in a penetration testing context?