What is a penetration testing engagement letter?

A penetration testing engagement letter is the executed authorisation document by which the client formally instructs the testing firm to begin work against a defined scope, on a defined timetable, under named testers. It anchors the chain that runs from proposal to statement of work to rules of engagement, and it is the artefact a tester carries (or references) to evidence permission to test. PTES, NIST SP 800-115, and the CREST Defensible Penetration Test specification all assume the testing party can produce a written instruction to proceed before any reconnaissance starts.

How is an engagement letter different from a statement of work or rules of engagement?

The statement of work (SOW) defines the commercial relationship: scope, deliverables, deadlines, fees, payment terms, and acceptance criteria. The rules of engagement (ROE) defines operational conduct: testing window, allowed and prohibited techniques, communications, evidence handling, and stop-test conditions. The engagement letter is the instruction-to-proceed that authorises a specific instance of the SOW to start, names the engagement reference, identifies the testing team, and confirms that all preconditions (signed SOW, signed ROE, third-party permissions, change-freeze where required) are in place. It is short, signed by an executive with authority to authorise testing, and lives at the front of the engagement record.

When is an engagement letter required separately from the SOW?

Most regulated schemes and many enterprise procurement frameworks require an engagement letter alongside or in addition to the SOW. UK CHECK, CREST OVS, CREST STAR, FedRAMP penetration testing, DORA TLPT, and many financial services testing programmes expect a discrete authorisation letter that names the testers, references the SOW and ROE, and dates the start of testing. Outside regulated programmes, an engagement letter is still useful when the SOW is a master agreement covering multiple instances of work, when third-party hosted assets need a separate authorisation reference, or when the testing team operates from premises that need an explicit get-out-of-jail letter equivalent.

Who needs to sign a penetration testing engagement letter?

A senior representative from the client with authority to authorise security testing of the listed assets must sign. This is typically the same role that signed the SOW, but the engagement letter is a fresh, dated authorisation rather than a contract amendment. The testing firm signs alongside on behalf of the named engagement lead. Where any in-scope asset is hosted, processed, or operated by a third party (cloud provider, managed hosting, SaaS dependency), the engagement letter records that the client has obtained that third party written permission and references the documentation. A junior analyst or developer cannot authorise testing of assets they do not own.

What should an engagement letter always include?

At minimum: engagement reference and date, parties (client legal entity and testing firm), reference to the executed SOW and ROE, scope summary (in-scope assets, methodologies, depth), testing window with start and end dates, named engagement team, communications and escalation contacts, third-party permissions where applicable, scheme references where the engagement is regulated (CHECK, OVS, STAR, FedRAMP, DORA TLPT), authorisation statement, and signatures from both parties. Optional sections cover get-out-of-jail letter language for physical or social engineering, scope-restriction acknowledgements where exclusions are unusual, and explicit references to the change-freeze the client has put in place around the testing window.

Can the engagement letter and the rules of engagement be the same document?

Some consultancies merge them, especially on smaller engagements where the operational rules and the authorisation can fit on one page. The pragmatic discipline is keeping them separate when the engagement is large enough that the ROE runs to several pages, when the regulator expects a discrete authorisation letter, or when the testing team rotates and the ROE evolves while the authorisation remains constant. A merged document tends to confuse signing authority because operational conditions and authorisation conditions get reviewed by different stakeholders. Separate documents reference each other and stay legible for the people who need to act on each.

How long should a penetration testing engagement letter be?

The engagement letter should be short. One to three pages is typical. The letter is an instruction to proceed, not a contract. The contract is the SOW; the operational manual is the ROE. If the engagement letter starts running to five pages, scope or operational detail is leaking out of the SOW or ROE and into the wrong document. The point of the letter is that an executive can read it in five minutes, confirm that authorisation conditions are met, sign, and hand the engagement to the team.

How does the engagement letter relate to the get-out-of-jail letter?

The get-out-of-jail letter is a specific subset of the engagement letter, used where physical access or social engineering is in scope. It is a printed document the testers carry (or can produce on demand) that lets a security guard, a building manager, or a target individual verify that the activity is authorised. It usually quotes the engagement letter authorisation statement, names a 24/7 verification contact, and is signed and dated by the same client authority. On engagements without physical or social testing the engagement letter alone covers the authorisation chain; on engagements with physical or social testing the get-out-of-jail letter is annexed and travels with the operators.

When does an engagement letter expire?

The engagement letter authorises the work described for the testing window stated. Once the testing window closes the authorisation lapses, even if findings remain to be retested. Retests during the contractual retest window run under either an addendum to the engagement letter or under language in the SOW that anticipates the retest scope. The discipline is treating each new instance of testing (initial test, midpoint scope expansion, retest after remediation, surveillance test in a multi-year programme) as a fresh authorisation event, dated and signed accordingly. An engagement letter from twelve months ago does not authorise testing this quarter.

How does SecPortal use the engagement letter in an engagement?

SecPortal stores the engagement letter alongside the engagement record so the authorisation, the SOW, the ROE, the findings, the report, and the retest evidence all live on one record rather than across folders. The activity log captures who uploaded, who reviewed, and who released the engagement to the testing team, so the audit trail walks from instruction to closure without leaving the workspace. When an auditor or scheme reviewer asks for the authorisation chain on a past engagement, the chain reconstructs from the same record the engagement was run against rather than from a separate document drive.

Free Tool

Penetration Testing Engagement Letter Template
authorise testing to begin without leaving the audit trail behind

A free, copy-ready penetration testing engagement letter template. Eleven structured sections covering engagement references, parties, scope summary, testing window, the substantive authorisation statement, the named engagement team, communications, scheme references (CHECK, CREST OVS, CREST STAR, FedRAMP, DORA TLPT), third-party permissions, physical and social engineering annex, and signatures. Sits at the front of the engagement record, inherits scope from the Statement of Work, and inherits operational rules from the Rules of Engagement. Aligned with PTES, NIST SP 800-115, and the CREST Defensible Penetration Test specification.

Get Started Free

No credit card required. Free plan available forever.

Full template

Copy the full engagement letter template

Eleven structured sections. The letter inherits scope and operational rules from the executed statement of work and rules of engagement. Replace every {{PLACEHOLDER}} before signing.

1. Header and engagement references

The letter opens with the engagement reference, the date, and the documents it inherits from. PTES Section 1 (Pre-engagement), NIST SP 800-115, and the CREST Defensible Penetration Test specification all expect a traceable authorisation chain back to the SOW and ROE.

PENETRATION TESTING ENGAGEMENT LETTER

Engagement reference: {{ENGAGEMENT_REFERENCE}}
Letter date: {{LETTER_DATE}}

This letter is the formal authorisation for the testing party named below to commence the penetration testing engagement defined under:
- Statement of Work reference: {{SOW_REFERENCE}}, executed {{SOW_DATE}}
- Rules of Engagement reference: {{ROE_REFERENCE}}, executed {{ROE_DATE}}
- Master Services Agreement (where applicable): {{MSA_REFERENCE}}, executed {{MSA_DATE}}
- Vendor proposal of record: {{PROPOSAL_REFERENCE}}, dated {{PROPOSAL_DATE}}

Where any term of this letter conflicts with the SOW or ROE, the underlying executed document governs and this letter is to be interpreted as an instruction to proceed against those terms rather than a variation.

2. Parties

Names the contracting client (the Authorising Party) and the testing firm (the Testing Party). The signing authority on the client side must hold delegated authority to authorise testing of the listed assets.

Authorising Party (the Client):
- Legal entity: {{CLIENT_LEGAL_NAME}}
- Registered address: {{CLIENT_ADDRESS}}
- Authorising representative: {{CLIENT_AUTHORISING_NAME}}, {{CLIENT_AUTHORISING_TITLE}}
- Email: {{CLIENT_AUTHORISING_EMAIL}}
- Phone: {{CLIENT_AUTHORISING_PHONE}}

Testing Party (the Vendor):
- Legal entity: {{TESTING_FIRM_LEGAL_NAME}}
- Registered address: {{TESTING_FIRM_ADDRESS}}
- Engagement lead: {{ENGAGEMENT_LEAD_NAME}}, {{ENGAGEMENT_LEAD_TITLE}}
- Email: {{ENGAGEMENT_LEAD_EMAIL}}
- Phone: {{ENGAGEMENT_LEAD_PHONE}}
- Scheme accreditations relied upon (if any): {{SCHEME_ACCREDITATIONS}}

3. Scope summary

A concise summary of the in-scope assets, depth, and methodology. The detailed scope lives in the SOW and the ROE; the letter restates the headline so the signing executive can confirm what they are authorising without paging through both documents.

Scope summary (full scope per the SOW and ROE):
- Asset categories in scope: {{ASSET_CATEGORIES}}
  (for example: external web applications, internal network ranges, cloud accounts, mobile applications, source code repositories)
- Counted asset units: {{ASSET_COUNTS_PER_CATEGORY}}
- Test depth: {{TEST_DEPTH}} (PTES Level 1 reconnaissance / Level 2 standard / Level 3 advanced, or equivalent)
- Methodology: {{METHODOLOGY_REFERENCES}} (PTES, NIST SP 800-115, OWASP WSTG, OWASP MASTG, OWASP ASVS, CREST as applicable)
- Out of scope: explicit exclusions per Section 3 of the ROE, including any third-party hosted assets without written authorisation.

The Authorising Party confirms that this summary aligns with the scope locked in the SOW and ROE. Any divergence is to be resolved through the change control mechanism in the SOW before testing begins.

4. Testing window and operating premises

Captures the agreed start, end, and any blackout periods. The letter is an instruction to proceed inside this window; it does not authorise testing outside it.

Primary testing window: {{START_DATE}} {{START_TIME}} ({{TIMEZONE}}) to {{END_DATE}} {{END_TIME}} ({{TIMEZONE}})
Off-hours window for high-impact tests: {{OFF_HOURS_WINDOW}}
Blackout periods (no testing): {{BLACKOUT_PERIODS}}
Source IPs the Testing Party will operate from: {{SOURCE_IPS}}
Operating premises (where testers will be physically located): {{OPERATING_PREMISES}}

Outside this window, this engagement letter does not authorise any testing activity. Retests after the testing window close are governed by the retest clause in the SOW or by a separate addendum to this letter.

5. Authorisation statement

The substantive permission to test, expressed clearly so an auditor or scheme reviewer can find it without parsing the surrounding text. This is the clause that converts a contract into an instruction-to-proceed.

The Authorising Party authorises the Testing Party, through its named engagement lead and the engagement team identified in Section 6, to perform the activities defined in the Statement of Work and Rules of Engagement against the assets summarised in Section 3, during the window in Section 4.

The Authorising Party warrants that:
1. It owns or has the right to authorise security testing of every asset within scope.
2. Where an asset is hosted, processed, or operated by a third party, written permission has been obtained and is referenced in Section 9.
3. It has notified internal stakeholders (security operations, incident response, change control, business owners) whose detection or response activity may overlap with the testing window.
4. A change-freeze sufficient to keep scope stable across the testing window has been put in place where this is required by the SOW or scheme.

The Testing Party undertakes to operate within the rules in the ROE, to communicate findings within the agreed severity SLAs, and to invoke a stop-test under the conditions defined in Section 9 of the ROE.

6. Named engagement team

Lists the testers authorised to operate under this letter. Regulated schemes (CHECK, OVS, STAR, DORA TLPT) require named individuals with verifiable accreditations. The list is the boundary of who is covered by the authorisation in Section 5.

The following individuals are authorised to perform testing under this engagement letter:

1. {{TESTER_1_NAME}}, {{TESTER_1_ROLE}}, accreditations {{TESTER_1_ACCREDITATIONS}}
2. {{TESTER_2_NAME}}, {{TESTER_2_ROLE}}, accreditations {{TESTER_2_ACCREDITATIONS}}
3. {{TESTER_3_NAME}}, {{TESTER_3_ROLE}}, accreditations {{TESTER_3_ACCREDITATIONS}}

Substitutions: any change to the named team during the engagement requires written notice from the Testing Party engagement lead to the Authorising Party representative. Substitutions affecting scheme-accredited roles (CHECK Team Member, CREST Registered Tester, OVS, STAR) require written acknowledgement from the Authorising Party before the new tester operates under this authorisation.

7. Communications and escalation

Restates the named contacts and severity SLAs from the ROE so the signing executive sees the live escalation path attached to the authorisation. Detailed mechanics live in Section 6 of the ROE.

Primary communication channel: secure messaging inside the engagement workspace operated by the Testing Party.
Secondary channel: email to the addresses below, with PGP encryption available on request.
Out-of-band escalation: phone numbers below, available during the testing window.

Authorising Party contacts:
- Engagement lead: {{CLIENT_LEAD_NAME}}, {{CLIENT_LEAD_EMAIL}}, {{CLIENT_LEAD_PHONE}}
- Security escalation: {{CLIENT_SECURITY_ESCALATION_NAME}}, {{CLIENT_SECURITY_ESCALATION_CONTACT}}
- 24/7 stop-test contact: {{CLIENT_STOP_TEST_PHONE}}

Testing Party contacts:
- Engagement lead: {{TESTING_LEAD_NAME}}, {{TESTING_LEAD_EMAIL}}, {{TESTING_LEAD_PHONE}}
- Engagement escalation: {{TESTING_ESCALATION_NAME}}, {{TESTING_ESCALATION_CONTACT}}

Severity SLAs (per ROE Section 6):
- Critical: same business day, ideally within four hours, by phone followed by written confirmation.
- High: one business day in the workspace with a summary email to the Authorising Party lead.
- Medium: visible in the workspace as logged and summarised at the agreed checkpoint cadence.
- Low and informational: consolidated into the final report.

8. Scheme references and regulatory context

Where the engagement runs under a scheme (CHECK, CREST OVS, CREST STAR, FedRAMP penetration testing, DORA TLPT, MAS TRM TLPT) the letter cites the scheme and the requirement that the scheme imposes on the authorisation chain.

Scheme references applicable to this engagement (delete those that do not apply):
- UK CHECK: testing performed under the CHECK scheme by accredited team members. CHECK requires a named authorising individual with documented authority over the listed assets.
- CREST Defensible Penetration Test: methodology aligned with the CREST DPT specification, with named CREST Registered Testers per Section 6.
- CREST OVS / STAR: scheme-specific scope and methodology constraints carried from the SOW and ROE.
- FedRAMP penetration testing: aligned with FedRAMP penetration test guidance, with reporting templates per the FedRAMP requirement set.
- DORA TLPT (where applicable to financial entities subject to DORA): testing performed under the threat-led penetration testing requirements of Regulation (EU) 2022/2554.
- MAS TRM TLPT (Singapore-regulated entities): aligned with MAS TRM Notice expectations.
- Other regulator or scheme: {{OTHER_SCHEME_REFERENCE}}.

Where the scheme requires evidence of the authorisation chain (signed letter, accreditation register entries, regulator notification), the Testing Party will retain the artefacts as part of the engagement record per Section 7 of the ROE.

9. Third-party permissions

Where any in-scope asset is hosted or operated by a third party, the letter records the permission reference. This is the clause that prevents authorised testing of an asset the client does not own from becoming unauthorised testing of someone else system.

Third-party permissions referenced under Section 5(2):

1. Third party: {{THIRD_PARTY_1_NAME}}
   Asset(s) covered: {{THIRD_PARTY_1_ASSETS}}
   Permission reference: {{THIRD_PARTY_1_PERMISSION_REF}}, dated {{THIRD_PARTY_1_PERMISSION_DATE}}
2. Third party: {{THIRD_PARTY_2_NAME}}
   Asset(s) covered: {{THIRD_PARTY_2_ASSETS}}
   Permission reference: {{THIRD_PARTY_2_PERMISSION_REF}}, dated {{THIRD_PARTY_2_PERMISSION_DATE}}
3. Third party: {{THIRD_PARTY_3_NAME}}
   Asset(s) covered: {{THIRD_PARTY_3_ASSETS}}
   Permission reference: {{THIRD_PARTY_3_PERMISSION_REF}}, dated {{THIRD_PARTY_3_PERMISSION_DATE}}

If no in-scope asset is hosted or operated by a third party, this section reads: "Not applicable. All in-scope assets are owned and operated by the Authorising Party."

10. Physical access and social engineering (annex)

Only included if physical or social engineering is in scope. The annex carries the get-out-of-jail letter language so a tester or operator can produce it on demand at a target premises.

Physical access and social engineering activities are ONLY authorised where this section is signed and the get-out-of-jail letter referenced below is attached and carried by every operator on site.

In-scope locations: {{PHYSICAL_LOCATIONS}}
In-scope individuals or roles for social engineering: {{SE_TARGET_NAMES_OR_ROLES}}
Authorised techniques: {{PHYSICAL_AND_SE_TECHNIQUES}}

Get-out-of-jail letter:
- Issued by: {{CLIENT_AUTHORISING_NAME}}, {{CLIENT_AUTHORISING_TITLE}}, {{CLIENT_LEGAL_NAME}}
- Date: {{LETTER_DATE}}
- 24/7 verification phone: {{LETTER_VERIFICATION_PHONE}}
- Quoted authorisation statement: see Section 5 of this engagement letter.
- Carried by: every tester or operator working on site at the listed locations.

If physical access and social engineering are out of scope, this section reads: "Not applicable. The engagement is restricted to remote technical testing per the SOW and ROE."

11. Signatures and instruction to proceed

The closing block converts the letter into an executed authorisation. A senior representative from the Authorising Party with delegated authority must sign, alongside the Testing Party engagement lead.

Signed for and on behalf of the Authorising Party:

Name: {{CLIENT_AUTHORISING_NAME}}
Title: {{CLIENT_AUTHORISING_TITLE}}
Signature: ____________________________
Date: ________________________________

Signed for and on behalf of the Testing Party:

Name: {{ENGAGEMENT_LEAD_NAME}}
Title: {{ENGAGEMENT_LEAD_TITLE}}
Signature: ____________________________
Date: ________________________________

Effective on the latest of the two signature dates above. Testing may not commence before the effective date.

How to use this template

Confirm that the executed statement of work and rules of engagement are in place. The engagement letter is an instruction to proceed against those documents, not a substitute for them. If the SOW or ROE is not yet signed, the letter cannot be issued.
Confirm scope and tester-day budget against the validated scoping output. The pentest scoping calculator produces the asset count, complexity, and depth assumptions referenced in Section 3.
Replace every {{PLACEHOLDER}} with engagement-specific values. Do not leave placeholders in the executed letter. Pay particular attention to Section 6 (named engagement team) where regulated schemes require accredited individuals.
Add or trim Section 8 (scheme references) so only the schemes actually applicable to this engagement remain. CHECK, CREST OVS, CREST STAR, FedRAMP, and DORA TLPT each impose distinct authorisation expectations.
Where physical access or social engineering is in scope, complete Section 10 and produce the get-out-of-jail letter as a standalone artefact for testers operating on site. Where it is not, mark Section 10 as not applicable.
Get the document signed by both sides before any reconnaissance starts. Reconnaissance is testing for the purpose of authorisation; an unsigned letter does not authorise reconnaissance any more than it authorises exploitation.
Store the signed engagement letter alongside the engagement record so the authorisation chain (proposal, SOW, ROE, engagement letter) lives with the work for audit, scheme review, and retest purposes.

Methodology and scheme references

PTES Section 1 (Pre-engagement interactions) treats the authorisation chain as non-optional. See the SecPortal PTES framework page for the operator-first walkthrough.
NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, planning phase.
CREST Defensible Penetration Test specification and CREST CHECK / OVS / STAR scheme documentation. See the CREST penetration testing framework page for accreditation context that may belong in Section 6.
For TIBER-EU and DORA TLPT authorisation chains in financial services, see the SecPortal TIBER-EU framework page and the DORA framework page.
For severity-driven communications under Section 7, the vulnerability remediation SLA calculator produces a defensible severity rubric you can carry into the SOW and ROE this letter inherits from.

Where the engagement letter sits in the engagement

The clean paper trail for a regulated penetration testing engagement runs RFP, proposal, SOW, ROE, engagement letter. The letter is the last artefact before testing starts and the first artefact a scheme reviewer or auditor checks when they reconstruct the authorisation chain. The accepted vendor proposal flows into the SOW; the SOW carries operational rules into the ROE; the ROE binds testers to conduct; the engagement letter authorises the team to begin.

For the operational decomposition of the SOW into the day-by-day work the team will execute under this authorisation, see the pentest test plan template. The plan is acknowledged by the client at kickoff against the executed engagement letter.
For pre-engagement intake and kickoff workflow against the engagement letter, see pentest client onboarding.
For running the awarded engagement once the letter is signed, see pentest project management.
For credential handover that often runs alongside the letter, see credential handover for pentests.
For retests authorised by an addendum to the letter, see pentest retesting.
For the closeout artefact that lapses this authorisation cleanly at the end of the engagement, see the pentest closure letter template. The closure letter pairs to this engagement letter and records the retest scope, evidence retention plan, and lapse of authorisation.

This template is provided as a starting point for a penetration testing engagement letter. It is not legal advice. Have the final letter reviewed by counsel and aligned with the master services agreement, statement of work, and rules of engagement that govern the broader relationship.

Loading tool...

Related features

Orchestrate every security engagement from start to finish

Vulnerability management software that tracks every finding

Your brand. Your portal. Your clients love it.