Example Authorization Agreement

This document authorizes A.K.S Security, LLC ("Tester") to perform security testing on systems owned and operated by the undersigned party ("Client") under the terms described below.

1. Client Information

2. Authorized Targets

The Client authorizes the Tester to perform security testing on all company-owned assets that are publicly accessible from the internet. The Tester will attempt to discover and access anything that an external attacker could reach — including but not limited to web applications, admin panels, APIs, databases, file storage, subdomains, and any other services exposed to the internet.

The Client confirms it owns or has the legal authority to authorize testing against all company assets, including but not limited to:

• www.acmecompany.com
• portal.acmecompany.com
• api.acmecompany.com

Testing should exclude the following:  

3. Exclusions

Testing is limited exclusively to the systems listed above. The Tester will not attempt to access, test, or probe any third-party services, hosting infrastructure, payment processors, or any systems not explicitly listed in Section 2. Any systems discovered during testing that are owned by third parties will not be tested.

4. Authorization & Data Handling

The undersigned confirms that they have the legal authority to grant this permission. The Client hereby authorizes A.K.S Security, LLC to perform external security testing against the authorized targets — including automated scanning, manual testing, and attempted exploitation of discovered vulnerabilities. This authorization is valid from the date of signature through the completion of the agreed-upon engagement.

The Client understands that during the course of testing, the Tester may encounter, view, or temporarily download sensitive data — including but not limited to customer records, financial information, personally identifiable information (PII), credentials, and other confidential business data. This is necessary to confirm and document the severity of discovered vulnerabilities, and mirrors the same access a real attacker would obtain. Any such data will be handled within the Tester's secure environment, used solely as evidence for the assessment report, and permanently deleted upon completion of the engagement.

5. Confidentiality

All findings, methods, communications, and materials related to this engagement are confidential. Neither party will disclose any details of this engagement to any third party without prior written consent from the other party. This obligation survives the termination of the engagement indefinitely.

6. Point of Contact

If a critical vulnerability is discovered that poses immediate risk to the Client's systems or data, the Tester will notify the Client immediately using the contact information provided in Section 1.