Free Penetration Tester
Service Agreement
One misclick on a legacy server can blow a hole in their uptime and your bank account. Without a bulletproof contract, you’re just one accidental outage away from a lawsuit that’ll strip you to your socks.
Pro Contractor Tip
Demand a 'Limitation of Liability' clause capped at the total contract value so a single server crash doesn't cost you your house.
Why use a written agreement?
Handshake deals are risky. As a Penetration Tester, "scope creep" is your biggest enemy. A clear agreement ensures everyone agrees on the deliverables before money changes hands.
🛡️ What this sequence covers:
- ✓Deliverables List
- ✓Payment Terms
- ✓IP Rights
- ✓Revision Limits
- ✓Cancellation Policy
Ready to send?
Our AI will fill in the client's name, dates, and specific project details for you.
Start building now →Statement of Work
REF: 2026-0011. Project Background
This Agreement is entered into by and between the Client and the Contractor. The Client wishes to engage the Contractor for professional Penetration Tester services.
2. Scope of Services
The Contractor shall provide the following deliverables:
- Target Infrastructure Mapping
- External Perimeter Vulnerability Scan
- Manual Exploitation Proof-of-Concept
- System Restoration and Evidence Cleanup
- Prioritized Remediation Punch-List
- Final Executive Security Briefing
3. Performance Standards
The Contractor agrees to perform the Penetration Tester services in a professional manner, using the degree of skill and care that is required by current industry standards.
TERMS & CONDITIONS (Summary):
1. Payment: 50% Deposit required.
2. Copyright: Rights transfer to Client upon full payment.
Disclaimer: This template is for educational purposes only.
Frequently Asked Questions
The client wants me to 'just check' one more server that wasn't in the original plan; how do I handle this?
That's scope creep, and it's how you go broke. Use your contract to define the exact IP range and require a signed Change Order for any additions so you get paid for the extra labor.
What if their system crashes during my testing and they try to sue for downtime?
You're dead meat without a 'Hold Harmless' clause in your agreement. A solid contract makes the client sign off on the risks of testing before you touch the first port, protecting your assets and your reputation.
The report is finished, but now the client is ghosting my invoices; what's the move?
Never hand over the final remediation report until the milestone payment clears. Your contract should stipulate that deliverables are only released upon receipt of funds, giving you the leverage to get paid what you're owed.