During the initial discussions and in the Statement of Work (SOW), it is important to include two disclaimers that outline two important points about the penetration test.

  • A disclaimer that states that the pentest is a point-in-time assessment — meaning we have tested against known vulnerabilities and exploits as of the current date. As time goes on and new software and systems are installed on the network, our assessment would not have tested those new items.

  • A disclaimer that indicates that the comprehensiveness of the pentest is based on the types of tests authorised by the customer and the known vulnerabilities at the time.

Also make it clear that a penetration test uses hacking tools that a hacker would use, and although we have tested these tools, it is possible that they could have unpredictable results due to the additional software installed on the systems or the configuration of the systems. Unpredictable results in this case means that it is possible that the target systems could crash and be unavailable.