8. Legal Documentation & Report Writing

Common legal documents

➡️ Sales phase

Before conducting a penetration test, legal agreements are established to define the relationship between the client and the security testing provider.

• Mutual Non-Disclosure Agreement (NDA)

  • Ensures confidentiality of sensitive information.

  • Prevents disclosure of client or tester details without consent.

• Master Service Agreement (MSA)

  • Defines overall business terms and conditions.

  • Covers liability, payment terms, and service responsibilities.

• Statement of Work (SOW)

  • Specifies the scope, objectives, and timeline of the penetration test.

  • Outlines deliverables, methodologies, and exclusions.

• Other Documents (sample reports, recommendation letters, etc.)

  • Provides clients with example reports for reference.

  • Includes references or testimonials for credibility.

➡️ Before you test

Key agreements set the rules and expectations for how the penetration test will be conducted.

• Rules of Engagement (ROE)

  • Defines testing scope, authorized attack methods, and limitations.

  • Establishes acceptable testing hours, emergency contacts, and data handling rules.

  • Ensures compliance with legal and ethical guidelines to avoid unintended damage.

➡️ After you test

Once the penetration test is completed, findings and recommendations are documented.

• Findings report

  • Summarizes identified vulnerabilities and security gaps.

  • Provides risk assessments and prioritization of discovered threats.

  • Includes remediation recommendations to improve security.

These documents ensure legal protection, clear expectations, and structured reporting throughout the penetration testing lifecycle.

Pentest report writing

• Check TCM's video about Writing a Pentest Report with the provided samples

Demo Company - Security Assessment Findings Report

• Clear & Structured: Well-organized with sections like Executive Summary, Findings, and Recommendations for easy navigation.

• Professional & Concise: Uses formal language, bullet points, and tables to present key information efficiently.

• Balanced Detail: Combines technical depth for IT teams with simplified summaries for executives.

• Actionable Insights: Findings are supported with evidence, and recommendations are clear, prioritized, and practical.

The report is well-written, easy to follow, and effective for both technical and non-technical audiences.

Career advice from TCM

1. Set goals for yourself and stay motivated.

2. Avoid complacency - keep pushing forward.

3. Apply for jobs even if you're unqualified - growth comes from challenges.

4. Admit when you don’t know something - learning starts with humility.

5. Prove yourself by showing dedication and effort.

6. Be selective with job applications - apply only to roles that fit your long-term goals and criteria.

7. Surround yourself with smarter people - growth comes from being challenged.

8. Build a strong network - connections are key to success.