Web Application Penetration Test
Scope & Rules of Engagement Template

1. Engagement Details

Client Organisation:

Authorising Contact (Full Name & Title):

Contact Email:

Contact Phone:

Testing Vendor: Oday Cybersecurity — hello@oday.com.au — 0420 277 414

Test Type:

2. Testing Window

3. In-Scope Targets

List all URLs, IP addresses, and systems authorised for testing.

4. Out-of-Scope Targets

List any systems, URLs, or components that must NOT be tested.

5. Test Credentials

Passwords will be shared via encrypted channel (1Password or Signal) — not email.

6. Rules of Engagement

Testing team agrees to:

• Only test systems explicitly listed in Section 3
• Immediately notify the client if a critical vulnerability is found that poses immediate risk
• Not exfiltrate or retain any real customer data encountered during testing
• Not perform denial-of-service (DoS) attacks unless explicitly authorised below
• Keep all findings confidential and share only with authorised contacts
• Cease testing immediately if instructed by the client

DoS/Load Testing Authorised?

Social Engineering / Phishing Authorised?

Physical Security Testing Authorised?

7. Communication Protocol

In the event of a discovered critical issue during testing, the testing team will contact:

8. Authorisation & Signatures

By signing below, the client confirms they are authorised to permit this testing and accept the rules of engagement above.