Penetration Testing Business Methodology

A high quality penetration testing engagement that provides the best value to the client requires a rigid business methodology on the part of the penetration provider.  The methodology begins a long way from any exploits. It begins with documents vetted by legal. For the client soliciting the testing this includes a statement of work (SOW), request for proposals or quote (RFP/RFQ).  The penetration testing provider creates a formal technical and cost proposal in response to the solicitation. If selected to perform the penetration test, the provider negotiates a contract draft which is vetted by legal and the formal contract is signed by both parties. Other documents vetted by legal and signed by both parties are: non-disclosure agreement (NDA), and an indemnification agreement or "get out of jail free document".  Sub-processes of all this paperwork include checklists of what the client permits and does not permit the penetration tester to perform. Another document more akin to the penetration testing team's internal document that may be shared with the client is the work breakdown structure (WBS) and project schedule (using Microsoft Project or something similar). The WBS outlines for the "tiger team" and the client the timelines, milestones, work to be performed, deliverables, etc. as the testing progresses.  The project schedule is a scheduling tool used to plan and monitor the progression of the work.  Disciplines ideal for the business methodology to be successful are:  project management skills such as knowledge base from Project Management Institute, government and commercial contracting methodologies, and knowledge of various computer and information systems laws and regulations by country and state. It is paramount for both parties to obtain legal representation from law firms that have knowledge of government and commercial contracting. The law firm does not have to have specific knowledge of penetration testing contracting although it would be helpful if they had helped write and had vetted those contract types.