> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/report-writing/common-legal-documents.md).

# Common Legal Documents

<figure><img src="/files/6Jg4OreFIOeCGgPLUk0q" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
You probably wont see too much of the Sales documents unless you're higher up. They contain contract agreements and sales information
{% endhint %}

## Sales Documents

* **Mutual Non-Disclosure Agreement** (NDA)
  * Even before the contract is signed, the client will make you sign an NDA so you cant tell anybody about things specific to their network
  * Will come early on in sales process or right before ROE
  * Find out whats the goal and what they want done
* **Master Service Agreement** (MSA)
  * Contractual Document
  * Specify performance objectives and outline the responsibilities of both parties
  * Blanket agreement that covers multiple contracts; legal mumbo jumbo
* **Statement of Work**
  * Specific to one contract
  * Specify activities, deliverables, timelines, quotes

{% hint style="info" %}
We will do an AD network pentest starting from this day and ending on this day; we will deliver you a findings report at the end and it'll cost this much
{% endhint %}

* **Sample Report, Recommendation Letters**, etc.

## Before you test

* **Rules of Engagement or** CYA (cover yo ass)
  * Covers specifics of the testing
  * Says what you can and can't do
  * Commonly DoS attacks are off the table because you dont want to disrupt their work **(ALWAYS)**
  * Social engineering is usually off the table as well as it is usually its own test by itself

{% hint style="danger" %}
**DO NOT START A PENETRATION TEST UNTIL THE ROE IS REVIEWED AND SIGNED**
{% endhint %}
