Put the legal boundaries around a penetration testing engagement

The biggest problem is usually uncertainty about what the tester is authorised to do, on which systems, during what period, and with what limits. If those boundaries are unclear, disputes can arise over service scope, access rights, outages, handling of discovered vulnerabilities, or whether certain activity went beyond permission. Privacy and confidentiality issues can also become serious if personal or sensitive business information is exposed during testing. A well-structured agreement helps define the engagement clearly, but the legal position still depends on how the work is carried out in practice.

These agreements commonly deal with the systems and environments in scope, the type of testing permitted, timing windows, client approvals, access credentials, reporting obligations, confidentiality, ownership and use of deliverables, data handling, liability allocation and what happens if testing reveals critical issues. Depending on the engagement, the agreement may also need to address third-party platforms, subcontractor involvement, or restrictions on live-environment testing. We draft or review the document with those practical issues in mind, rather than relying on generic service terms that may leave key permissions unclear.

A standard IT services contract may cover fees and basic confidentiality, but penetration testing usually involves authorised attempts to identify weaknesses in live or sensitive systems. That creates a different risk profile from ordinary support or software work. Templates often fail to deal properly with testing boundaries, evidence capture, treatment of discovered vulnerabilities, handling of personal information, and the line between reporting issues and fixing them. A tailored agreement is usually the better option where the engagement includes sensitive environments, regulated data, or a client that expects precise wording around permissions and liability.

We usually need to know who is engaging whom, what systems or environments are being tested, whether testing is internal or client-facing, whether subcontractors are involved, how findings will be reported, and whether the engagement includes any follow-up advisory work. It also helps to understand how your business collects, uses and shares information during the engagement, because that can affect the privacy wording. The best approach depends on how the parties work together, what has already been agreed and where the main risks sit, not just the service label on the proposal.

Not automatically. The fixed-fee is for the penetration testing agreement itself and the legal issues tied to that document. If your engagement also includes remediation work, retesting, managed security support, or a longer-term advisory relationship, those extra elements may need additional drafting so the contract reflects the full commercial arrangement. The service does not include technical implementation, security remediation, or ongoing representation. If you need broader contract support beyond the testing engagement, we can discuss a separate scope once we understand the setup.

Just submit an enquiry via this page or click the 'get started' button on our website to submit an enquiry. After you've submitted an enquiry, one of our legal consultants will review your enquiry within 1 business day and get in touch to get a better idea of exactly what you are looking for.

Then your legal consultant will send through an email with a bit more information about the services you need, along with a fixed fee quote setting out costs, scope of the service and timing. Have a read through it, and if you're happy with the scope, you can accept and sign our engagement letter online - easy!

Once you've formally accepted, we'll connect you with a specialist lawyer and they will work with you to complete your project. They will contact you by email or phone if they need to get in touch.

Sprintlaw works on fixed-fee pricing wherever possible, so you can review the scope and cost before you decide whether to proceed. For the Penetration Testing Agreement service, pricing starts from $900.00.

After you enquire, a legal consultant will confirm what is included, the expected timing and whether any extra work is needed before you engage us.

We operate completely online, which means we can help you wherever you are in New Zealand. We have office spaces in Sydney, and in Melbourne, but our use of technology allows our team members to work remotely from around the world. Our legal team are mostly based in Sydney, Melbourne, Brisbane and Perth. We also have a London office for Sprintlaw UK.

Our legal team is made up of experienced lawyers, who are specialists in various areas of law and hold an Australian legal practising certificate. None of our Sprintlaw lawyers are New Zealand qualified lawyers and they do not currently hold a New Zealand practising certificate.

They provide legal services working remotely from Australia via our 'legal consultancy' model, through which (under section 6 and section 35 of the New Zealand Lawyers and Conveyancers Act 2006) our Australian legal team are permitted to provide legal services to New Zealand businesses provided they do not provide services in certain 'reserved' areas of law. You can read our FAQ page to learn a bit more about our 'legal consultancy' model.

Given the strong similarities between Australian and New Zealand law, and the areas of law in which we practice (being small business and startup law), we do not view the fact that our lawyers have not qualified in New Zealand as having any substantive impact on the quality of our service. We are committed to ensuring that we provide high quality, affordable legal services to all our New Zealand clients.

Our legal team have all trained at leading firms, but have left the traditional corporate law world to join us on our mission to create a new and better way of delivering legal services. They have specialist expertise in technology law, intellectual property law, contract drafting and review, corporate law and commercial law.