Avoiding legal issues
As we have seen throughout this book, pentesting can be very intrusive and at times can even be very dangerous if your team doesn't fully understand what is within the scope of the pentest, and can lead to fines or even actions that would be considered illegal under the Computer Fraud and Abuse Act (CFAA). Depending on who and what the pentest team is testing, you could also be breaking other laws, such as federal and state laws; however, that would depend on each pentest.
This all being said, let's take a quick look at how we can stay out of trouble with both the law and our clients.
Get-out-of-jail-free card
This is one of the most significant fundamental factors in ensuring that you stay out of any legal conflict during a pentest. The get-out-of-jail-free card is essentially a piece of paper stating that a pentest team is authorized to pentest the target organization – however, it should also annotate WHAT, WHERE...