Which of the following documents describes specific activiti - CompTIA Pentest+ PT0-003

Correct Answer: C. SOW (Statement of Work)

The Statement of Work (SOW) is a document that outlines specific activities, deliverables, and schedules for a penetration tester. It provides detailed information on what is expected during the engagement, including:

• Scope of work (what systems/networks are in scope)
• Methodologies (types of testing, e.g., black-box, gray-box)
• Deliverables (final reports, findings, recommendations)
• Timelines and schedules (testing duration, deadlines for reports)
• Responsibilities of both parties

The SOW is a legally binding document that sets clear expectations for both the penetration tester and the client.

• It ensures that the engagement stays within defined parameters, avoiding scope creep or legal issues.

Why the Other Options Are Incorrect:

NDA (Non-Disclosure Agreement)

• Purpose: Protects sensitive/confidential information from being disclosed to unauthorized parties.

• Why incorrect? An NDA focuses on confidentiality, not defining activities, deliverables, or schedules.

Incorrect because an NDA does not outline specific work details or timelines.

MSA (Master Services Agreement)

• Purpose: Defines the general terms and conditions for a business relationship between two parties.

• Includes: Payment terms, liability, dispute resolution, and overall service guidelines.
• Why incorrect? An MSA is a high-level contract that governs multiple engagements but does not specify deliverables and timelines for a specific penetration test.

Incorrect because an MSA is a broad agreement, not a specific work plan.

MOU (Memorandum of Understanding)

• Purpose: A formal but non-binding agreement that outlines general expectations between parties.

• Often used for: Partnerships, government agreements, and informal business relationships.
• Why incorrect? An MOU is not legally binding and does not specify exact deliverables, tasks, or schedules for a penetration test.

Incorrect because an MOU is too informal and lacks enforceable details about penetration testing activities.