This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Documentation and Contracts

Essential Contract Elements

Statement of Work (SOW)

  • Objectives: What the client wants to accomplish

  • Scope: Exactly what systems and networks you'll test

  • Methodology: Which frameworks and standards you'll follow

  • Deliverables: What reports and presentations you'll provide

  • Timeline: Start date, milestones, and delivery dates

  • Acceptance Criteria: How success will be measured

Legal Protection:

  • Authorization: Explicit permission to test specified systems

  • Liability Limitations: Caps on potential damages you could be responsible for

  • Indemnification: Protection against third-party claims

  • Force Majeure: Protection against unforeseeable circumstances

Technical Specifications:

  • Testing Methods: Which tools and techniques are approved

  • Traffic Limits: Rate limiting to avoid service disruption

  • Data Handling: How to manage sensitive information discovered

  • Reporting Requirements: Format, content, and delivery specifications

Rules of Engagement (RoE)

The RoE document provides detailed operational guidance:

Technical Constraints

  • Approved Tools: Specific scanners, frameworks, and utilities

  • Prohibited Actions: Denial of service, data modification, social engineering

  • Rate Limiting: Maximum requests per second to avoid impact

  • Safe Words: Codes to immediately stop testing if problems occur

Operational Procedures

  • Testing Windows: Specific days and hours when testing is permitted

  • Communication Protocols: How to report findings and coordinate activities

  • Emergency Procedures: What to do if you cause an outage or find active attacks

  • Documentation Standards: What evidence you can collect and how to handle it

Example RoE Clause: "Penetration testing is authorized against systems listed in Appendix A during business hours (9 AM - 5 PM local time) Monday through Friday. Scanning rates must not exceed 10 requests per second per target. Any system outage or suspected active compromise must be reported immediately to the emergency contact. No denial-of-service testing is permitted without separate written authorization."

Data Handling Requirements

Sensitive Data Discovery: What to do when you find sensitive information

  • Stop and Notify: Don't continue accessing sensitive data unnecessarily

  • Document Safely: Record the existence and location without copying content

  • Secure Handling: Encrypt and protect any evidence you must collect

  • Proper Disposal: Securely delete all client data after engagement completion

Data Retention Policies:

  • How long you can retain test data and findings

  • Secure storage requirements for sensitive information

  • Client rights to request data deletion

  • Backup and archival procedures

PreviousClient CommunicationNextPassive Reconnaissance

Last updated

Was this helpful?