Required before testing
- Signed authorization from a representative who owns or is authorized to test each target.
- Exact domains, IPs, applications, portals, APIs, cloud assets, and third-party systems listed in scope.
- Testing window, timezone, emergency contact, and stop-testing procedure.
- Allowed intensity: passive, active unauthenticated, authenticated, controlled exploit validation, or internal testing.
- Data-handling expectations for screenshots, public files, logs, and proof artifacts.