Breach Horizon
Authorization required

Rules for testing without surprises.

Breach Horizon security testing is designed to be legal, scoped, evidence-based, and safe for production environments. This page is a public summary; the signed SOW and authorization letter control the actual engagement.

Required before testing

  • Signed authorization from a representative who owns or is authorized to test each target.
  • Exact domains, IPs, applications, portals, APIs, cloud assets, and third-party systems listed in scope.
  • Testing window, timezone, emergency contact, and stop-testing procedure.
  • Allowed intensity: passive, active unauthenticated, authenticated, controlled exploit validation, or internal testing.
  • Data-handling expectations for screenshots, public files, logs, and proof artifacts.

Default exclusions unless separately authorized

  • Denial-of-service, resource exhaustion, or stress testing.
  • Password spraying, credential stuffing, brute force, or bypassing account lockout controls.
  • Real phishing credential capture or social engineering of employees.
  • Persistence, malware, destructive payloads, ransomware simulation, or lateral movement.
  • Testing assets owned by vendors, customers, or third parties unless written authorization is supplied.

How proof-of-impact is handled

  • Prefer configuration evidence, screenshots, headers, public metadata, and safe request/response proof.
  • Do not access, download, or retain sensitive data beyond the minimum needed to prove exposure.
  • Stop when a vulnerability is proven; do not chain findings unless approved in writing.
  • Separate confirmed findings from suspected issues and scanner false positives.
  • Retest only the remediated items or the written retest scope.

Minimum authorization language

Use counsel-reviewed language in production contracts. This operational summary is the control Breach Horizon uses before any active test starts:

The client represents that it owns or is authorized to test the listed assets and authorizes Breach Horizon to perform the testing activities described in the signed statement of work during the approved testing window. Testing is limited to the listed assets, methods, and intensity. The client may pause or stop testing through the emergency contact procedure at any time.