Internal & External Penetration Testing as a Service

This Consultant Agreement and Statement of Work (collectively the "Agreement" and individually the "Consultant Agreement" and the "SOW"), and the date shown on the signature block of the Consultant Agreement, is made and entered into by and between BLACK BREACH, LLC, and the Client identified on the SOW (collectively, the "Parties"), and shall be effective on the date fully executed by Client and Consultant (the "Effective Date"). 

All references herein to Consultant include all Principals, Employees, Consultants, and Contractors.

RECITALS

WHEREAS, this Agreement is governed by and subject to the terms and conditions of the Master Service Agreement entered into between Client and Consultant. In the event of any conflict between the terms and conditions of this Agreement and the Master Service Agreement, the terms and conditions of this Agreement shall prevail.

WHEREAS, the Parties agree that the services to be provided under this Agreement shall be governed by the provisions set forth in the Master Service Agreement, and the Parties further acknowledge and agree that any additional terms, conditions, or statements of work relating to specific services shall be incorporated as exhibits to the Master Service Agreement.

NOW, THEREFORE, in consideration of the promises, mutual covenants, and agreements set forth herein, and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereto agree as follows:

1. INTRODUCTION 

This Statement of Work outlines the scope and objectives for internal and external penetration testing as a service (PTaaS) to be conducted by Black Breach, LLC for the Client identified on the SOW (collectively, the "Parties"). The primary goal of this engagement is to continuously assess the security of the Client's internal and external network infrastructure and identify potential vulnerabilities that could be exploited by unauthorized individuals.

2. OBJECTIVES

  • To assess the security vulnerabilities of the Client's external and internal network infrastructure on a continuous basis.

  • To evaluate the effectiveness of existing security controls and measures.

  • To identify potential entry points and exploit weaknesses within the network.

  • To provide actionable recommendations for mitigating identified risks.

3. SCOPE OF WORK

3.1 Schedule

  • Penetration testing will be conducted quarterly, with specific dates and milestones outlined in the agreed project schedule.

  • All quarterly testing hours will be identified in the agreed proposal.  

  • Internal and external scanning will be conducted monthly.  

  • Each testing cycle will commence upon approval and access provision from the Client.

3.2 External Penetration Test as a Service

  • Targets: All external target IP addresses provided by the Client will be identified before the start of testing.

  • Methodology: The test will include the following phases:

    • Internal Reconnaissance: Gathering information about the internal network and systems.

    • Scanning: Identifying active hosts, open ports, and services within the internal network.

    • Vulnerability Analysis: Detecting and analyzing vulnerabilities within the internal environment.

    • Exploitation: Attempting to exploit identified vulnerabilities to gain unauthorized access.

    • Post-Exploitation: Assessing the impact of successful exploits and potential data access.

  • Tools: Utilization of industry-standard tools.

3.3 Internal Penetration Test as a Service

  • Targets: All internal target IP addresses provided by the Client will be identified before the start of testing.

  • Methodology: The test will include the following phases:

    • Internal Reconnaissance: Gathering information about the internal network and systems.

    • Scanning: Identifying active hosts, open ports, and services within the internal network.

    • Vulnerability Analysis: Detecting and analyzing vulnerabilities within the internal environment.

    • Exploitation: Attempting to exploit identified vulnerabilities to gain unauthorized access.

    • Post-Exploitation: Assessing the impact of successful exploits and potential data access.

  • Tools: Utilization of industry-standard tools.

3.4 Monthly Vulnerability Scanning

  • Conduct vulnerability scanning on all internal and external networks, systems, and applications.

  • Identify and prioritize vulnerabilities based on severity ratings.

  • Provide actionable recommendations for remediation of identified vulnerabilities.

4. DELIVERABLES

  • Monthly Vulnerability Scanning Reports: A detailed generated report including:

    • All identified internal and external vulnerabilities prioritized by severity rating.

    • Provide actionable recommendations for remediation of identified vulnerabilities.

  • Pre-Engagement Meeting: A meeting to discuss the scope, objectives, and rules of engagement.

  • Quarterly Penetration Test Reports: A detailed report including:

    • Executive Summary: High-level overview of findings and recommendations.

    • Methodology: Description of the testing approach and tools used.

    • Findings: Detailed description of identified vulnerabilities, including their severity and impact.

    • Exploitation Evidence: Screenshots, logs, and other evidence of successful exploitation.

    • Recommendations: Actionable recommendations for mitigating identified risks.

  • Post-Engagement Meeting: A meeting to review the findings and discuss remediation strategies and any retesting recommendations.

  • Retesting: The Client is allowed one retest of all identified critical and high findings. All retesting must be completed at least 60 days from the date of delivery of the final report.

5. TIMELINE

  • Project Kickoff

  • Monthly Vulnerability Scanning

  • Quarterly Testing Phase

  • Quarterly Reporting Phase

  • Delivery of Quarterly Reports

  • Post-Engagement Meetings:

  • Retesting as Needed

6. RESPONSIBILITIES

6.1 Client Responsibilities

  • Provide access to systems and networks as required.

  • Ensure that key personnel are available if needed.

  • Provide necessary documentation and network diagrams.

  • Ensure that all testing activities are authorized and monitored.

6.2 BLACK BREACH RESPONSIBILITIES

  • Conduct the penetration tests professionally and ethically.

  • Maintain confidentiality of all sensitive information.

  • Provide regular updates on the progress of the testing.

  • Deliver a comprehensive and actionable final report.

7. CONFIDENTIALITY

  • Both parties agree to keep all information obtained during the engagement confidential. Black Breach will not disclose any findings or sensitive information to third parties without the client's written consent.

8. INCIDENT RESPONSE TRIAGE

  • If the Client becomes the victim of a cybersecurity incident, the Consultant agrees to provide three (3) hours of incident response triage free of charge. Incident response triage includes all verbal expert recommendations on attempt recovery and recommended actions to be taken. Recovery is not guaranteed. Additional fees may apply hourly if additional services are required or requested.

9. TERM

  • This Agreement commences on the Effective Date and will remain in effect through the Initial Term and all Renewal Terms, as specified in the SOW, unless otherwise terminated in accordance with the MSA (the Initial Term and all Renewal Terms collectively the "Term"). The Initial Term will be one (1) year from the Effective Date and will automatically renew for successive one-year periods, subject to the then-current conditions and price at the time of renewal. 

10. PAYMENT SCHEDULE

  • For monthly project services, the Client may pay annually or monthly at the Client's convenience. Payment will be due the first-month services start and as per terms outlined in the Consultant Agreement and Statement of Work and within (30) days of the invoice date. Amounts not paid when due will be subject to a late charge of one and one-half percent (1.5%) per month. Late charges are reasonable liquidated damages for collection fees and are not a penalty.

Invoice Remittance

Payment may be made as follows:

1. Mailed to: Black Breach, LLC, 1025 Rose Creek Drive, Suite 620-214, Woodstock, GA, 30189

2. Provided to Justin Shanken (or designee) in person

3. Wired directly to an account provided by Black Breach to Client

4. ACH directly to an account provided by Black Breach to Client

Last modified July 8, 2024