Breach Horizon
Operational legal guardrails

Security testing needs a legal wrapper.

Breach Horizon separates free public-surface scans from active penetration testing. Paid active testing requires a contracting entity, written authorization, defined scope, and rules of engagement.

This page is not legal advice and is not a substitute for counsel-reviewed agreements. It documents the controls Breach Horizon should have in place before selling authorized penetration testing.

Launch checklist

  • Operate through the legal contracting entity named in each SOW or order form.
  • Maintain counsel-reviewed MSA, SOW, authorization letter, and rules-of-engagement templates before selling active testing.
  • Require the client to attest ownership or authorization for every target before testing starts.
  • Carry appropriate professional liability / cyber E&O coverage for paid assessment work.
  • Keep proof artifacts minimal, encrypted where appropriate, and retained only as long as needed for reporting and retest.
  • Keep destructive, credential, phishing, social engineering, and DoS activity out of default scope.

Required document set

Master Services Agreement

Commercial terms, limitation of liability, confidentiality, payment, cancellation, and governing law.

Statement of Work

Specific services, deliverables, pricing, timeline, testing window, and authorized targets.

Authorization to Test

Client attestation that they own or are authorized to test the listed assets.

Rules of Engagement

Allowed techniques, excluded actions, emergency stop process, contacts, and evidence handling.

Data Handling Policy

How reports, screenshots, logs, and proof artifacts are stored, shared, and deleted.

Retest Letter

Short post-remediation verification document confirming what was retested and what changed.

Ready for counsel review, not courtroom improvisation.

The public site can market the offer now, but paid active testing should wait until the entity, insurance, and agreement templates are confirmed.