Authorization Requirement

A written instrument — signed by an individual with the authority to approve testing — that identifies the in-scope assets, the agreed testing window, and references the Rules of Engagement and engagement contract.

The client must confirm ownership or formal control of the in-scope assets. Where assets are hosted by, integrated with, or dependent on third parties, additional authorization from those parties may be required before testing can proceed.

Scope is documented in writing and agreed before testing begins. Rules of Engagement define out-of-scope activities, sensitive endpoints, escalation paths, emergency contacts, and any restrictions on tooling or timing.

Authorization may be withdrawn or suspended in writing at any time. Testing stops as soon as we are made aware. We will provide a summary of activity completed up to that point.

We will decline or pause any engagement where authorization, ownership, scope, or intent becomes unclear, or where requested activity would conflict with lawful, ethical practice.