You probably wont see too much of the Sales documents unless you're higher up. They contain contract agreements and sales information
Mutual Non-Disclosure Agreement (NDA)
Even before the contract is signed, the client will make you sign an NDA so you cant tell anybody about things specific to their network
Will come early on in sales process or right before ROE
Find out whats the goal and what they want done
Master Service Agreement (MSA)
Contractual Document
Specify performance objectives and outline the responsibilities of both parties
Blanket agreement that covers multiple contracts; legal mumbo jumbo
Statement of Work
Specific to one contract
Specify activities, deliverables, timelines, quotes
We will do an AD network pentest starting from this day and ending on this day; we will deliver you a findings report at the end and it'll cost this much
Sample Report, Recommendation Letters, etc.
Rules of Engagement or CYA (cover yo ass)
Covers specifics of the testing
Says what you can and can't do
Commonly DoS attacks are off the table because you dont want to disrupt their work (ALWAYS)
Social engineering is usually off the table as well as it is usually its own test by itself
DO NOT START A PENETRATION TEST UNTIL THE ROE IS REVIEWED AND SIGNED
