ArgoBox
ArgoBox Infrastructure & Automation
user@argobox:~/journal/2023-08-18-the-scope-that-could-save-you
$ cat entry.md

The Scope That Could Save You

[Friday, August 18, 2023] MOOD: DISCOVERY Kali
○ NOT REVIEWED

The Scope That Could Save You

Date: August 18, 2023 Issue: Legal concerns about pentesting without proper authorization Stakes: Career, legal liability, personal risk Result: Got the scope signed before touching anything

The Situation

My employer (an MSP) wanted me to run a penetration test against a client’s network. Standard enough. Except:

  1. I’d be running it from my home ISP
  2. I wasn’t sure if a scope of work existed
  3. I was “told” there was authorization “somewhere”

Red flags everywhere.

Pentesting without authorization is a federal crime. The Computer Fraud and Abuse Act (CFAA) doesn’t care that your boss told you to do it.

“My employer said it was okay” is not a legal defense.

The risks:

  • Criminal liability: Unauthorized access charges
  • Civil liability: Client sues for damages
  • Career destruction: Good luck getting another security job
  • Personal exposure: Your home IP in the logs, your equipment seized

What I Needed Before Starting

1. Written Scope of Work

A signed document specifying:

  • Exactly which systems are in scope
  • Exactly which systems are out of scope
  • Testing methods allowed (can I run exploits? Just scan?)
  • Time window for testing
  • Emergency contacts
  • Get-out-of-jail letter (literally)

2. Authorization Chain

The client’s signature. Not just the MSP’s. Not just verbal. Written, dated, signed by someone with authority to authorize the test.

3. Insurance Coverage

Does the MSP’s E&O insurance cover pentesting? If the test causes an outage, who pays?

4. Personal Protection

My home IP would be in every log. If anything went wrong - even years later - that IP traces back to me. I needed:

  • The signed scope stored somewhere I control
  • Documentation of who asked me to do this
  • Timestamps showing authorization came before testing

The Conversation With My Employer

“I need to see the signed scope before I start.”

“It’s somewhere in the client file. Just start, we’ll find it.”

“No. I need it in my hand before I send a single packet.”

This isn’t being difficult. This is protecting yourself from prison.

The Scope Template

What the scope needed to include:

PENETRATION TEST AUTHORIZATION

Client: [Client Name]
Date: [Date]
Tester: [My Name]
Company: [MSP Name]

AUTHORIZED TARGETS:
- https://client.com
- https://portal.client.com
- 192.168.1.0/24 (internal, if VPN provided)

EXCLUDED TARGETS:
- Production database servers
- Payment processing systems
- Third-party integrations

TESTING WINDOW:
- Start: [Date/Time]
- End: [Date/Time]

AUTHORIZED METHODS:
- Automated vulnerability scanning
- Manual testing
- Exploitation of discovered vulnerabilities
- Social engineering: [YES/NO]

EMERGENCY CONTACT:
- [Name, Phone, Email]

AUTHORIZATION:
I, [Client Representative], authorize the above penetration test.

Signature: ________________
Date: ________________
Title: ________________

What I Did

Waited. Pushed back. Made it clear I wasn’t starting without documentation.

Eventually, the scope appeared. Signed by the client’s CTO. Dated. Clear boundaries.

Then I started the test.

The Test Results

The Burp Suite scan found the usual suspects:

  • Vulnerable JavaScript dependencies
  • Open redirects
  • Missing HttpOnly flags on cookies
  • Password autocomplete enabled
  • Client-side template injection

Nothing catastrophic. Standard web app hygiene issues.

But here’s the thing: if I’d found something critical and exploited it without the scope, I’d be the one in trouble. Not the client. Not the MSP. Me.

The Lesson

Never pentest without written authorization. Verbal doesn’t count. Email from your boss doesn’t count. You need the client’s signature.

Protect yourself first. Your employer’s urgency is not your legal exposure.

Document everything. Keep copies of the scope, the authorization chain, the request emails. If something goes wrong in 5 years, you need proof.

“Get out of jail” letters are real. The authorization document is literally what you show law enforcement if someone claims unauthorized access.

The Template I Use Now

Every pentest, I require:

  1. Signed scope from the client
  2. My copy stored outside company systems
  3. Emergency contacts verified
  4. Insurance confirmation from the MSP
  5. Written acknowledgment of testing window

Is this paranoid? Maybe. Is it career-ending not to do it? Definitely.

The best pentest is one where nobody questions your authorization. The worst is one where you can’t prove you had it.