When a penetration tester finds a critical vulnerability in your network, you need to know exactly what you're paying for, who owns the findings, and what happens if something goes wrong. Penetration testing contracts are where vague expectations meet real liability—getting them right protects both your security posture and your budget. This guide walks you through the non-negotiable terms every customer should review before signing.
Scope Definition and Rules of Engagement
The contract must specify what systems, networks, and applications the tester will attack. Vague scope language leads to either incomplete testing or surprise out-of-scope charges. Your agreement should name specific IP ranges, domains, cloud environments (AWS accounts, Azure subscriptions), and third-party integrations that will be tested.
Rules of engagement are equally critical. These define what the tester can and cannot do—for instance, whether they can perform DoS attacks, access production databases, or test during business hours. Make sure the contract explicitly states whether external testing only, internal testing only, or both are included. If your infrastructure depends on a third-party vendor (payment processor, cloud host), clarify whether the testing scope extends to their systems or stops at your integration point.
Also confirm testing windows. A 9-to-5 Monday–Friday penetration test might miss your night-shift vulnerabilities. Push for 24/7 testing if your operations demand it, though expect higher costs (typically 20–40% more).
Timeline and Deliverables
Expect active testing to last 1–2 weeks for SMB environments and 3–6 weeks for enterprise infrastructure. The contract should specify:
- Start and end dates for active testing
- Reporting timeline—usually 2–4 weeks after testing concludes
- Number of report revisions included (request at least two rounds of feedback before final delivery)
- Vulnerability re-testing scope (after you patch, will the tester retest those findings at no extra cost, or is that a separate engagement?)
Clarify what "deliverables" actually includes. A basic report lists vulnerabilities with CVSS scores. A thorough one adds proof-of-concept code, business impact analysis, and remediation roadmaps. Don't assume—ask for a sample report before contracting.
Liability, Ownership, and Confidentiality
This is where customers get burned. Your contract must answer:
- Who owns the findings? You should own the testing report, the vulnerability list, and any proof-of-concept code. The tester retains their methodology, but findings belong to you.
- NDA and confidentiality: The tester's agreement should prohibit them from sharing your vulnerabilities, network topology, or any identifying details with competitors or the public.
- Liability caps: Most testers limit liability to the contract fee. Push back if your business operates critical infrastructure—negotiate higher limits or carve out exceptions for gross negligence or data breaches caused by the tester.
- Insurance: Ask if the testing firm carries professional liability and cyber insurance. This protects you if their testing activity damages your systems.
Cost and Fee Structure
Penetration testing costs $3,000–$15,000 for small networks, $15,000–$50,000 for mid-market, and $50,000+ for enterprise environments. Price depends on infrastructure size, complexity, and engagement length.
Confirm what's included:
- One-time testing vs. annual retesting
- Remediation support (some firms offer post-test consultation at an hourly rate)
- Re-testing after you patch vulnerabilities
- Travel costs (if on-site testing is required)
Watch for hidden fees. Some contracts charge extra for wireless testing, social engineering, or physical security assessments. Request an itemized fee breakdown upfront.
Compliance and Standards Alignment
If you operate under regulatory requirements (PCI-DSS, HIPAA, SOC 2), confirm the testing methodology aligns with those standards. NIST SP 800-115 and OWASP Testing Guide are common frameworks. Ask whether the tester's report will include compliance-specific sections your auditors expect.
Communication and Escalation
Define how critical findings get reported. If the tester discovers active exploitation or imminent risk, the contract should specify immediate notification (within 24 hours, usually). Regular status updates—weekly or bi-weekly—should be included.
Platforms like Mercoly help you compare and vet penetration testing providers against these criteria, surfacing firms with transparent pricing, clear scope definitions, and documented compliance practices.
Frequently Asked Questions
Q: Can I negotiate payment terms, or is penetration testing always upfront? A: Many firms require 50% upfront with the balance due before final report delivery. Some offer net-30 terms for established customers—ask, but expect upfront payment if you're a first-time client.
Q: What's the difference between penetration testing and vulnerability scanning, and should I include both? A: Scanning is automated and finds known vulnerabilities; penetration testing is manual exploitation that discovers real-world attack chains. Both have value—scanning catches easy wins monthly or quarterly, while penetration testing validates business risk annually.
Q: Do I need re-testing if the tester finds zero critical vulnerabilities? A: Yes. A clean report doesn't mean your infrastructure is invulnerable, and your environment changes constantly. Annual or bi-annual testing remains essential.
Review these contract terms carefully, ask your provider direct questions about anything unclear, and don't skip the legal review—a solid penetration testing engagement is built on clear agreements.