Interactive Tool
Pentest SOW Builder
Standardize your Statement of Work to ensure your test covers the right controls and provides the evidence auditors require.
What's in the template?
A professional SOW removes surprises. Our template covers the four critical pillars of a SOC 2-ready penetration test.
Scope Definition
- •In-scope assets (apps, APIs, cloud, network) with URLs/IP ranges.
- •Authentication flows and test accounts; MFA/SSO notes.
- •Data sensitivity, third-party dependencies, and change freeze windows.
Methodology & ROE
- •Testing windows and expected noise levels.
- •Exploitation depth (read-only vs POC) and social engineering limits.
- •Rate limits, safe list configuration, and kill switch contacts.
Deliverables
- •Executive summary + technical report with CVSS/likelihood.
- •Evidence for each finding (repro steps, screenshots, payloads).
- •Retest window and what evidence is required to close findings.
Legal & Compliance
- •Data handling and retention (where reports live, how long).
- •Liability caps and breach notification triggers.
- •Right to share a sanitized report with customers.
Auditor Tip
Auditors check your SOW to verify that the "System Boundary" described in your SOC 2 report matches the targets actually tested. Misalignment here is a common cause of audit delays.
Step 1 of 333% Complete
Pentest SOW Builder
Define your scope and testing parameters to generate a professional Statement of Work.
Why this tool works
01
Zero Ambiguity
Clearly defines what is (and isn't) being tested to avoid scope creep.
02
Auditor Approved
Structured to provide the specific evidence trust service criteria require.
03
Fixed Results
Helps establish expectations for a retest window and clean reporting format.