What is a penetration testing closure letter?

A penetration testing closure letter is the executed document by which the testing firm formally signs off the engagement and the client formally accepts that sign-off. It marks the end of the testing window opened by the engagement letter, confirms that the deliverables agreed in the statement of work have been produced, records the retest scope authorised under the same engagement, and notes the evidence retention and destruction obligations the testing party will discharge on the engagement record. PTES Section 7 (Reporting), NIST SP 800-115 (closeout), and the CREST Defensible Penetration Test specification all assume an explicit closeout artefact rather than a silent stop. The closure letter is the one to two page artefact that makes the closeout legible to an auditor, a scheme reviewer, or the next testing rotation.

How is a closure letter different from the report and the attestation letter?

The report is the durable findings record: every finding with evidence, severity rationale, and remediation guidance, signed and stored against the engagement. The attestation letter is a short, client-facing summary that the buyer can share with their own customers, regulators, or auditors to evidence that a test was performed; it lives downstream of the report and the closure. The closure letter is internal to the engagement chain: it sits between the testing party and the authorising party, it lapses the authorisation opened by the engagement letter, it locks the retest scope, and it records the evidence retention plan. A closure letter is the artefact that closes the engagement; the attestation letter is the artefact the buyer uses afterwards.

When does a penetration testing engagement actually close?

An engagement closes on the latest of three events: the final report has been delivered and accepted, the retest authorised under the engagement has either completed or has been deferred to a separate authorisation, and the closure letter has been signed by both sides. Programmes that treat report delivery as closure tend to discover unresolved retest scope months later when the buyer asks for verification of remediation against findings the testing party considers historic. A clean closure event with a dated letter prevents that drift by making the boundary explicit. Where the engagement is regulated (CHECK, CREST OVS, CREST STAR, FedRAMP, DORA TLPT, MAS TRM TLPT) the scheme typically requires a dated closure event with the artefacts the closure letter references.

What does a defensible closure letter always include?

At minimum: engagement reference, parties, references to the executed statement of work, rules of engagement, and engagement letter, dates of the testing window opened and closed, a summary of deliverables produced (final report, debrief deck, evidence pack, attestation letter where commissioned), the count of findings by severity at closure, the retest scope authorised under this engagement and the deadline beyond which a fresh authorisation will be required, the evidence retention plan (what is retained, where, for how long, on what destruction schedule), the credentials and access pickup confirmation, the explicit statement that the engagement letter authorisation has lapsed, and the signatures of both parties. Optional sections cover lessons-learned input the buyer wants captured, framework-specific closeout language for regulated engagements, and disclaimers around informational findings that did not enter the report.

Who needs to sign the closure letter?

The same authorising representative who signed the engagement letter on the client side, or a delegated equal, signs the closure. Lapsing the authorisation that opened the engagement requires equivalent signing authority to the one that opened it. The testing party is signed off by the engagement lead named in the engagement letter, or a partner with equivalent authority where the engagement lead has rotated off. Lower-level signatures on either side leave the closure ambiguous, which surfaces later as disputed retest authorisation or unclear evidence retention. The ten-minute discipline of getting the right signature now prevents weeks of email reconstruction six months later.

What does the closure letter say about retests?

The closure letter records the retest scope authorised under the engagement letter, the deadline beyond which retest authorisation will require a fresh engagement letter or addendum, and the channel for triggering a retest (typically the workspace where the engagement record lives). Retests authorised under the same engagement letter typically have a thirty to ninety day window from the date of remediation closure. After that window the closure letter declares the authorisation lapsed and a new authorisation event has to occur. The retest section is the part of the closure letter most often litigated; the discipline is being explicit about timing and scope rather than leaving it implied.

What does the closure letter say about evidence retention and destruction?

Evidence captured during a penetration test (request and response captures, screenshots, payloads, credentials handed over for authenticated scans, exported configuration data) carries data protection obligations. The closure letter records what evidence is retained, where it is retained (on the engagement record in the testing workspace), for how long (typically aligned with the buyer retention policy or scheme requirement, commonly twelve months minimum and seven years for regulated programmes), and on what destruction schedule. It also confirms that any credentials handed over for testing have been rotated or revoked by the buyer. Without this section the engagement leaves a long tail of recoverable evidence that nobody owns.

How does the closure letter handle informational findings that did not make the report?

A defensible engagement produces three categories of observation: findings that ship to the report, informational observations that the testing team noted but did not raise to finding status, and items the buyer asked be excluded from the report on documented grounds. The closure letter notes that the second and third categories exist on the engagement record and where they live, so the next testing rotation does not have to rediscover them. It does not list them line by line; that level of detail belongs in the workspace audit trail or, where the buyer requested it, in an annex to the final report. Acknowledging the categories prevents the perception that the engagement only produced what was in the report.

Is a closure letter required for every penetration testing engagement?

Regulated programmes, scheme-tested programmes (UK CHECK, CREST OVS, CREST STAR, FedRAMP, DORA TLPT, MAS TRM TLPT), and most enterprise procurement frameworks require an explicit closeout artefact. Outside those, the discipline is still useful: a closure letter prevents the report-delivered-but-not-closed drift that consumes margin in firms running multiple concurrent engagements. The pragmatic rule is that any engagement large enough to have a discrete engagement letter is large enough to have a discrete closure letter; smaller engagements where the SOW and engagement letter merged can use a closure section in the final report or a closure email signed by both sides instead of a separate letter.

How does SecPortal use the closure letter in an engagement?

SecPortal stores the closure letter alongside the engagement letter, the SOW, the ROE, the findings, the report, the debrief deck, the retest evidence, and the attestation letter on the same engagement record. The activity log captures who uploaded, who reviewed, and who signed the closure. When a regulator or scheme reviewer asks for the engagement chain on a past test, the chain reconstructs from the same record the engagement was run against rather than from a separate document drive. Retests authorised under the closure letter pair to the original finding rather than opening a new record, so the verification trail keeps running on the same finding and the aging clock keeps measuring against the original capture date. The next engagement opens with the prior closure context already attached, so the testing team does not start from a blank page on a programme that has been running for years.

Free Tool

Penetration Testing Closure Letter Template
sign off the engagement, lock retest scope, and lapse the authorisation cleanly

A free, copy-ready penetration testing closure letter template. Eleven structured sections covering engagement references, parties and the prior authorisation chain, deliverables produced and accepted, findings count at closure by severity, the retest scope authorised under this engagement and its expiry, the evidence retention plan, the credential rotation and access pickup confirmation, framework and scheme closeout language for regulated engagements, lessons-learned input, the explicit lapse of the engagement letter authorisation, and signatures. Pairs with the executed engagement letter, the final report, and the debrief deck so the closure inherits scope, deliverables, and authorisation rather than restating them. Aligned with PTES, NIST SP 800-115, and the CREST Defensible Penetration Test specification.

Get Started Free

No credit card required. Free plan available forever.

Full template

Copy the full closure letter template

Eleven structured sections. The closure inherits scope and authorisation from the executed engagement letter, statement of work, and rules of engagement. Replace every {{PLACEHOLDER}} before signing.

1. Header and engagement references

The letter opens with the engagement reference, the closure date, and the prior authorisation chain. PTES Section 7 (Reporting), NIST SP 800-115 (closeout), and the CREST Defensible Penetration Test specification all expect a traceable chain from closure back to the original authorisation.

PENETRATION TESTING ENGAGEMENT CLOSURE LETTER

Engagement reference: {{ENGAGEMENT_REFERENCE}}
Closure date: {{CLOSURE_DATE}}

This letter formally closes the penetration testing engagement opened under:
- Engagement Letter reference: {{ENGAGEMENT_LETTER_REFERENCE}}, executed {{ENGAGEMENT_LETTER_DATE}}
- Statement of Work reference: {{SOW_REFERENCE}}, executed {{SOW_DATE}}
- Rules of Engagement reference: {{ROE_REFERENCE}}, executed {{ROE_DATE}}
- Master Services Agreement (where applicable): {{MSA_REFERENCE}}, executed {{MSA_DATE}}

Where any term of this letter conflicts with the SOW, the underlying executed document governs and this letter is to be interpreted as a closeout against those terms rather than a variation.

2. Parties and prior authorisation

Names the contracting client (the Authorising Party) and the testing firm (the Testing Party). The closure must be signed by the same authority that authorised the engagement, or a delegated equal, so the lapse of authorisation is symmetric with how it was opened.

Authorising Party (the Client):
- Legal entity: {{CLIENT_LEGAL_NAME}}
- Registered address: {{CLIENT_ADDRESS}}
- Authorising representative: {{CLIENT_AUTHORISING_NAME}}, {{CLIENT_AUTHORISING_TITLE}}
- Email: {{CLIENT_AUTHORISING_EMAIL}}

Testing Party (the Vendor):
- Legal entity: {{TESTING_FIRM_LEGAL_NAME}}
- Registered address: {{TESTING_FIRM_ADDRESS}}
- Engagement lead at closure: {{ENGAGEMENT_LEAD_NAME}}, {{ENGAGEMENT_LEAD_TITLE}}
- Email: {{ENGAGEMENT_LEAD_EMAIL}}

The Authorising Party signatory below holds equivalent delegated authority to the signatory of the Engagement Letter referenced in Section 1. Where that signatory has rotated off the relationship, this letter is signed by their successor or a delegated equal whose authority covers the assets in scope.

3. Testing window opened and closed

Captures the testing window that the engagement letter opened and the date on which active testing finished. Active testing closure is distinct from engagement closure: testing can stop weeks before the engagement formally closes via this letter.

Testing window opened (per Engagement Letter): {{TESTING_START_DATE}} {{TESTING_START_TIME}} ({{TIMEZONE}})
Active testing finished: {{ACTIVE_TESTING_END_DATE}} {{ACTIVE_TESTING_END_TIME}} ({{TIMEZONE}})
Engagement formally closed by this letter: {{CLOSURE_DATE}}

Between active testing finish and engagement closure, the Testing Party performed: {{POST_TESTING_ACTIVITIES}}
(typical activities: report drafting, evidence packaging, debrief preparation and delivery, finding clarifications, scoped retests under the original authorisation).

No further testing has occurred or will occur under the Engagement Letter referenced in Section 1 outside the activities listed above.

4. Deliverables produced and accepted

Records what the engagement actually produced and which artefacts the buyer accepted. PTES Section 7 and NIST SP 800-115 both treat deliverable acceptance as a discrete checkpoint. The list also surfaces any deliverable the buyer declined to formally accept so the dispute is on the record rather than in email.

Deliverables produced under this engagement:
- Final report: {{FINAL_REPORT_REFERENCE}}, delivered {{FINAL_REPORT_DELIVERY_DATE}}, accepted {{FINAL_REPORT_ACCEPTANCE_DATE}}
- Executive summary (front of report or standalone): {{EXEC_SUMMARY_REFERENCE}}
- Debrief deck and meeting record: {{DEBRIEF_DECK_REFERENCE}}, walked {{DEBRIEF_DATE}}
- Evidence pack (request and response captures, screenshots, payloads): retained on the engagement record per Section 7
- Decision log from the debrief and finding clarification cycle: {{DECISION_LOG_REFERENCE}}
- Attestation letter (where commissioned): {{ATTESTATION_LETTER_REFERENCE}}
- Compliance mapping export (where the engagement is regulated): {{COMPLIANCE_MAPPING_REFERENCE}}

Deliverables under dispute or pending acceptance at closure (if any):
{{DELIVERABLE_DISPUTES_OR_PENDING_ITEMS}}

The Authorising Party confirms acceptance of the deliverables listed as accepted above. Items under dispute remain governed by the dispute mechanism in the SOW.

5. Findings count and severity at closure

A short numerical summary of what the engagement produced. The granular detail lives in the report; the closure letter restates the headline so the signing executive sees what they are closing over without paging through the full deliverable.

Findings count at closure (per the final report referenced in Section 4):

- Critical: {{CRITICAL_COUNT}}
- High: {{HIGH_COUNT}}
- Medium: {{MEDIUM_COUNT}}
- Low: {{LOW_COUNT}}
- Informational (in report): {{INFORMATIONAL_COUNT}}

Total findings raised to the report: {{TOTAL_FINDINGS_COUNT}}
Findings retested under this engagement (see Section 6): {{RETESTED_COUNT}}
Findings remaining open at closure: {{OPEN_AT_CLOSURE_COUNT}}
Findings closed (verified-fixed or accepted by the Authorising Party as risk-accepted) at closure: {{CLOSED_AT_CLOSURE_COUNT}}

Informational observations recorded on the engagement record but not raised to the report: see Section 9. Items the Authorising Party requested be excluded from the report on documented grounds: see Section 9.

6. Retest scope authorised under this engagement

Locks the retest scope and the deadline beyond which retest authorisation will require a fresh engagement letter. This is the section of the closure letter most often litigated; the discipline is being explicit rather than letting timing and scope drift into email.

Retest scope authorised under the Engagement Letter referenced in Section 1:

In-scope findings for retest under this authorisation:
- Critical and High findings as listed in the final report.
- Selected Medium findings: {{MEDIUM_FINDINGS_AUTHORISED_FOR_RETEST}}
- Retest depth: same methodology as the original engagement, scoped to verifying remediation rather than re-running discovery.

Retest authorisation expiry: {{RETEST_AUTHORISATION_EXPIRY_DATE}}
({{RETEST_WINDOW_DAYS}} days from the date of this closure letter, or from remediation closure where stated, whichever is earlier).

After the retest authorisation expiry, retests against findings from this engagement require either:
- An addendum to the Engagement Letter referenced in Section 1, signed by the Authorising Party.
- A fresh Engagement Letter and supporting authorisation chain (SOW or change order, ROE, kickoff).

Retest channel: requests are raised in the engagement workspace operated by the Testing Party, via the contacts named in Section 7 of this letter. Out-of-band retest requests are not authorised under this letter.

Retests performed under this letter pair to the original finding rather than opening a new finding record. The aging clock on the original finding continues to run from its original capture date so the audit trail remains continuous.

7. Evidence retention and destruction plan

Records what evidence is retained, where, for how long, and on what destruction schedule. Without this section the engagement leaves a long tail of recoverable evidence that nobody owns. Aligned with the data protection clauses in the SOW or MSA.

Evidence retained against this engagement record:

- Request and response captures from active testing.
- Screenshots, exploitation proofs of concept, and payloads attached to the relevant finding.
- Exported configuration data and scan output uploaded against the engagement.
- Communication records (workspace messages, debrief decision log).
- Reporting artefacts (drafts, accepted final, debrief deck, attestation letter where commissioned).

Retention location: the engagement record on the Testing Party workspace, accessible to the Authorising Party named representatives via the branded client portal for the retention window stated below.

Retention duration: {{RETENTION_DURATION}}
(default twelve months unless the engagement is regulated; seven years for engagements under DORA, MAS TRM, or sector-specific retention rules; aligned with the Authorising Party retention policy where stated in the SOW or MSA).

Destruction schedule: at the end of the retention window the Testing Party will destroy or anonymise the evidence on the engagement record, except for the artefacts the SOW requires be retained for audit beyond that window. Destruction is logged on the engagement record so the destruction event itself remains evidentiary.

Credentials and access:
- All credentials handed over to the Testing Party for authenticated testing have been or will be rotated by the Authorising Party by {{CREDENTIAL_ROTATION_DEADLINE}}.
- All API tokens, service accounts, and VPN access provisioned for the engagement have been or will be revoked by {{ACCESS_REVOCATION_DEADLINE}}.
- The Testing Party confirms that retained credentials are stored under the encryption controls referenced in the SOW or MSA and will be destroyed alongside the rest of the evidence pack at the end of the retention window.

8. Scheme and regulatory closeout (where applicable)

Where the engagement runs under a scheme (CHECK, CREST OVS, CREST STAR, FedRAMP, DORA TLPT, MAS TRM TLPT) the closure letter cites the scheme and the closeout obligation that the scheme imposes.

Scheme references applicable to this engagement closeout (delete those that do not apply):

- UK CHECK: closure of a CHECK-scheme engagement, with named CHECK Team Members per the engagement letter and accreditation register evidence retained per Section 7.
- CREST Defensible Penetration Test: closure aligned with the CREST DPT specification, with named CREST Registered Testers per the engagement letter.
- CREST OVS / STAR: scheme-specific closeout language carried from the SOW and ROE. Scheme-required artefacts retained per Section 7.
- FedRAMP penetration testing: closure aligned with FedRAMP penetration test guidance, with reporting templates and evidence retained per the FedRAMP requirement set.
- DORA TLPT (where applicable to financial entities subject to DORA): closure under the threat-led penetration testing requirements of Regulation (EU) 2022/2554. Tracker authorities notified where required.
- MAS TRM TLPT (Singapore-regulated entities): closure aligned with MAS TRM Notice expectations.
- TIBER-EU: closure aligned with TIBER-EU framework, with TIBER cyber team notified per the framework.
- Other regulator or scheme: {{OTHER_SCHEME_CLOSEOUT_REFERENCE}}

Where the scheme requires evidence of the closeout chain (signed closure letter, accreditation register entries, regulator notification, scheme reviewer artefacts), the Testing Party retains the artefacts as part of the engagement record per Section 7 of this letter.

If no scheme applies to the engagement, this section reads: "Not applicable. The engagement was not run under a regulated scheme."

9. Informational observations and excluded items

Acknowledges that the engagement record holds observations and excluded items beyond the report. The closure letter does not list them line by line; it points the auditor at where they live so the next testing rotation does not have to rediscover them.

In addition to the findings raised to the final report, the engagement record holds:

- Informational observations the Testing Party noted but did not raise to finding status. These remain on the engagement record for reference by the next testing rotation and are not part of the deliverable acceptance in Section 4.
- Items the Authorising Party requested be excluded from the report on documented grounds. These remain on the engagement record with the exclusion reasoning attached, so the audit trail is complete even where the deliverable is not.
- Out-of-scope discoveries that surfaced during testing and were referred back to the Authorising Party rather than tested under this engagement.

The Testing Party confirms that the engagement record is the system of record for these items. The Authorising Party representatives named in Section 2 retain access via the workspace for the retention window stated in Section 7.

10. Lessons learned and programme input

Optional section the buyer commissions when closure is also a programme review point. Captures what worked, what did not, and changes the buyer wants on the next engagement. Skipping this section is fine; reusing it as a marketing testimonial is not.

Lessons learned input from the Authorising Party (optional):
{{LESSONS_LEARNED_FROM_CLIENT}}

Lessons learned input from the Testing Party (optional):
{{LESSONS_LEARNED_FROM_VENDOR}}

Programme changes the Authorising Party requests for the next engagement (optional):
{{PROGRAMME_CHANGES_REQUESTED}}

This section is internal to the engagement record. It is not a marketing artefact and is not to be quoted externally without the explicit written consent of the Authorising Party.

If lessons learned were not formally captured, this section reads: "Not applicable. Lessons learned input was not collected on this engagement."

11. Lapse of authorisation and signatures

The clause that explicitly lapses the engagement letter authorisation, paired with the signatures that close the engagement. This is the section an auditor or scheme reviewer reads to confirm the engagement is closed and not still open in some informal sense.

On the latest signature date below, the authorisation opened by the Engagement Letter referenced in Section 1 lapses, except for the retest scope authorised in Section 6 of this letter and the evidence retention obligations in Section 7. Any further testing of the assets covered by the original Engagement Letter requires a fresh authorisation event (new Engagement Letter and supporting chain, or addendum signed by both parties).

Signed for and on behalf of the Authorising Party (closure):

Name: {{CLIENT_AUTHORISING_NAME}}
Title: {{CLIENT_AUTHORISING_TITLE}}
Signature: ____________________________
Date: ________________________________

Signed for and on behalf of the Testing Party (closure):

Name: {{ENGAGEMENT_LEAD_NAME}}
Title: {{ENGAGEMENT_LEAD_TITLE}}
Signature: ____________________________
Date: ________________________________

This closure letter is effective on the latest of the two signature dates above. The engagement record opened under the Engagement Letter referenced in Section 1 is preserved per Section 7 of this letter.

How to use this template

Confirm the executed engagement letter, statement of work, and rules of engagement references are accurate. The closure letter inherits authorisation from those documents; mismatched references break the audit chain.
Confirm deliverable acceptance with the Authorising Party before signing. The final report acceptance date in Section 4 should match the date the buyer formally accepted the deliverable, not the date it was sent.
Reconcile the findings counts in Section 5 against the final report. Counts that disagree with the report are the most common audit finding on closure letters.
Set the retest authorisation expiry in Section 6 explicitly. Default to thirty to ninety days from the closure date depending on the engagement size and scheme. Avoid open-ended retest windows; they are the source of the report-delivered-but-not-closed drift this letter is meant to prevent.
Complete the evidence retention plan in Section 7. Match the duration to the SOW or MSA retention clause and to any scheme-specific retention rule. Confirm the credential rotation and access revocation deadlines with the Authorising Party rather than assuming they happen automatically.
Trim Section 8 (scheme references) so only the schemes actually applicable to this engagement remain. CHECK, CREST OVS, CREST STAR, FedRAMP, DORA TLPT, and MAS TRM TLPT each impose distinct closeout expectations.
Capture lessons-learned input in Section 10 only when it has been formally collected. Mark the section as not applicable rather than leaving it blank when the input was not gathered.
Get the document signed by both sides on the same authority that signed the engagement letter, or by a delegated equal where the original signatory has rotated off. Lower-level signatures undermine the lapse of authorisation in Section 11.
Store the signed closure letter alongside the engagement record so the chain (proposal, SOW, ROE, engagement letter, test plan, debrief deck, final report, retest evidence, attestation letter, closure letter) lives with the work for audit, scheme review, and the next testing rotation.

Methodology and scheme references

PTES Section 7 (Reporting) treats the closeout as a discrete step from report delivery. See the SecPortal PTES framework page for the operator-first walkthrough.
NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, post-test phase. See the SecPortal NIST SP 800-115 framework page.
CREST Defensible Penetration Test specification and CREST CHECK / OVS / STAR scheme documentation. See the CREST penetration testing framework page for the closeout language carried into Section 8.
For TIBER-EU and DORA TLPT closeout chains in financial services, see the SecPortal TIBER-EU framework page and the DORA framework page.
For finding aging context that shapes the retest window in Section 6, the aging pentest findings research covers how long findings sit before closure across pentest portfolios.
For retest economics that shape the retest scope in Section 6, the pentest retest economics research covers how retest cost compounds when authorisation windows are not explicit.

Where the closure letter sits in the engagement

The clean paper trail for a regulated penetration testing engagement runs RFP, proposal, SOW, ROE, engagement letter, test plan, draft report, debrief deck, final report, retest evidence, attestation letter, and closure letter. The closure letter is the last artefact in the chain and the first artefact a scheme reviewer or auditor checks when they ask whether an engagement actually closed or merely went quiet. It pairs with the executed engagement letter (the opening of the authorisation), the debrief deck (the meeting where deliverable acceptance was paced), and the test plan (the scope decomposition the engagement actually executed against).

For the report delivery workflow that produces the deliverable acceptance recorded in Section 4, see pentest report delivery.
For the evidence pack that retains under Section 7, see pentest evidence management.
For the retest workflow authorised under Section 6, see pentest retesting.
For the attestation letter the buyer commissions downstream of closure, see the pentest attestation letter guide.
For the change-order mechanism when retest scope grows beyond what Section 6 authorises, see the pentest scope change addendum template.
For mid-engagement halts (production incident, credential exposure, scope-out asset, regulator hold) that may precede a closure, see the pentest stop-test letter template. Where the halt resolves into closure rather than resumption, this letter cites the stop-test letter as the trigger.
For the long-tail destruction event that closes the retention window opened by Section 7 of this letter, see the pentest evidence destruction certificate template. The certificate executes the retention plan recorded here when the retention window lapses.
For the credential rotation deadline cited in Section 7 of this letter, see the pentest credential handover form template. The handover form opens the credential lifecycle that this closure letter triggers the rotation on.
For the retest trigger that operates inside the retest window declared by this letter, see the pentest retest request form template. The retest request form names the findings in scope and the verification method per finding so the verification work runs on the same record this letter closed the engagement on.
For the underlying engagement record that holds the full chain, see the engagement management feature and the findings management feature.

This template is provided as a starting point for a penetration testing engagement closure letter. It is not legal advice. Have the final letter reviewed by counsel and aligned with the master services agreement, statement of work, rules of engagement, and engagement letter that govern the broader relationship.

Loading tool...

Related features

Orchestrate every security engagement from start to finish

Vulnerability management software that tracks every finding

AI-powered reports in seconds, not days

Your brand. Your portal. Your clients love it.