# 8. Legal Documentation & Report Writing ## Common legal documents ➡️ **Sales phase** Before conducting a penetration test, legal agreements are established to define the relationship between the client and the security testing provider. * **Mutual Non-Disclosure Agreement (NDA)** * Ensures confidentiality of sensitive information. * Prevents disclosure of client or tester details without consent. * **Master Service Agreement (MSA)** * Defines overall business terms and conditions. * Covers liability, payment terms, and service responsibilities. * **Statement of Work (SOW)** * Specifies the scope, objectives, and timeline of the penetration test. * Outlines deliverables, methodologies, and exclusions. * **Other Documents (sample reports, recommendation letters, etc.)** * Provides clients with example reports for reference. * Includes references or testimonials for credibility. ➡️ **Before you test** Key agreements set the rules and expectations for how the penetration test will be conducted. * **Rules of Engagement (ROE)** * Defines **testing scope**, authorized attack methods, and limitations. * Establishes **acceptable testing hours**, emergency contacts, and data handling rules. * Ensures compliance with **legal and ethical guidelines** to avoid unintended damage. ➡️ **After you test** Once the penetration test is completed, findings and recommendations are documented. * **Findings report** * Summarizes identified vulnerabilities and security gaps. * Provides **risk assessments** and prioritization of discovered threats. * Includes **remediation recommendations** to improve security. These documents ensure **legal protection, clear expectations, and structured reporting** throughout the penetration testing lifecycle. *** ## Pentest report writing > * Check TCM's video about [Writing a Pentest Report](https://www.youtube.com/watch?v=EOoBAq6z4Zk) with the [provided samples](https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report) **Demo Company - Security Assessment Findings Report** * **Clear & Structured:** Well-organized with sections like Executive Summary, Findings, and Recommendations for easy navigation. * **Professional & Concise:** Uses **formal language**, **bullet points**, and **tables** to present key information efficiently. * **Balanced Detail:** Combines **technical depth for IT teams** with **simplified summaries for executives**. * **Actionable Insights:** Findings are **supported with evidence**, and recommendations are **clear, prioritized, and practical**. The report is **well-written, easy to follow, and effective** for both **technical and non-technical audiences**. *** ## Career advice from TCM 1. **Set goals** for yourself and stay motivated. 2. **Avoid complacency** - keep pushing forward. 3. **Apply for jobs even if you're unqualified** - growth comes from challenges. 4. **Admit when you don’t know something** - learning starts with humility. 5. **Prove yourself** by showing dedication and effort. 6. **Be selective with job applications** - apply only to roles that fit your long-term goals and criteria. 7. **Surround yourself with smarter people** - growth comes from being challenged. 8. **Build a strong network** - connections are key to success. *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.syselement.com/tcm/courses/peh/8-report.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.