Cynetix
Legal Document

Statement of Work

Document No. CYN-SOW-___  |  Version 2.1  |  March 2026
This Statement of Work ("SOW") is incorporated into and subject to the Master Service Agreement ("MSA") between Cynetix LLC and the Client identified below. In the event of conflict, the MSA controls except as expressly stated herein. This SOW becomes effective upon signature by both parties and constitutes written authorization to commence the engagement.
Engagement Overview

Project Identification

FieldDetails
SOW Number                              
Client Name                              
Engagement Name                              
MSA ReferenceCYN-MSA-         
Engagement Type                              
Testing Methodology☐ Black Box   ☐ Gray Box   ☐ White Box
Proposed Start Date                              
Proposed End Date                              
Report Delivery Date                              
Total Engagement Fee$                              
Section 1

Points of Contact

RoleNameTitleEmailPhone
Cynetix Project Lead        
Client Technical POC        
Client Executive Sponsor        
Emergency / Stop Contact        
Section 2

Scope of Work

2.1 Services to Be Performed

Cynetix shall perform the following services during this engagement:

  • ☐  External Network Penetration Testing
  • ☐  Internal Network Penetration Testing
  • ☐  Web Application Security Testing
  • ☐  Mobile Application Security Testing (iOS / Android)
  • ☐  Cloud Infrastructure Assessment (AWS / Azure / GCP)
  • ☐  Red Team Operations
  • ☐  Social Engineering / Phishing Simulation
  • ☐  Physical Security Assessment
  • ☐  Wireless Network Assessment
  • ☐  Other:  

2.2 In-Scope Assets

The following assets are explicitly authorized for testing. Testing shall be limited strictly to these assets:

[List IP ranges, CIDR blocks, hostnames, URLs, application names, or asset descriptions]

2.3 Explicitly Out-of-Scope

The following systems and actions are explicitly excluded from this engagement and shall not be tested or performed under any circumstances:

[List excluded IP ranges, systems, third-party services, or prohibited actions]

2.4 Testing Environment

Testing Environment:   ☐ Production   ☐ Staging / QA   ☐ Development   ☐ Mixed

Special environment notes or access requirements:

 
⚠️ Production Environment Notice Testing in production environments carries inherent risk of service disruption. If testing is to be conducted in a production environment, Client acknowledges this risk and approves all testing activities. Cynetix will follow aggressive-but-careful operational security practices and stop testing immediately upon Client's request.
Section 3

Testing Windows & Schedule

PhaseActivityStartEndPermitted Hours
Kickoff Scoping call, credential handoff, environment access     Business hours
Reconnaissance Passive & active information gathering     ☐ 24/7   ☐ Business hrs
Active Testing Exploitation, lateral movement, privilege escalation     ☐ 24/7   ☐ Business hrs
Reporting Analysis, report writing, internal review     Internal
Debrief Report delivery, findings walkthrough, Q&A     Business hours
Retest Verification of remediated vulnerabilities     Business hours
Section 4

Deliverables

Upon completion of active testing, Cynetix shall deliver the following:

DeliverableDescriptionFormatTimeline
Executive Summary Report High-level findings, risk ratings, and strategic recommendations for non-technical leadership PDF Per SOW schedule
Technical Report Detailed vulnerability descriptions, evidence (screenshots, PoC), CVSS scores, and remediation steps PDF Per SOW schedule
Finding Tracker Spreadsheet of all findings with severity, status, and remediation owner fields XLSX With report
Debrief Presentation Walkthrough of key findings, attack chains, and remediation priorities Video call / Slides Within 5 days of report
Retest Report Verification of remediated issues with pass/fail status PDF After remediation

All reports are delivered via secure encrypted channel. Raw data, logs, and exploit code are not included in deliverables by default; inclusion requires separate written agreement.

Section 5

Fees & Payment Schedule

MilestoneAmountDue Date
Kickoff Payment (50%) — Due upon SOW execution $   
Completion Payment (50%) — Due upon report delivery $  Upon delivery
Total Engagement Fee $ 

Additional expenses (travel, lodging) if applicable: ☐ Included in fee   ☐ Billed separately at cost

Section 6

Assumptions & Dependencies

This SOW is based on the following assumptions. If any assumption proves incorrect, Cynetix reserves the right to adjust scope, timeline, or fees accordingly with Client's written consent:

  • Client will provide VPN access, credentials, or other necessary access to in-scope systems within 2 business days of SOW execution;
  • Client will designate an available technical point of contact throughout the engagement;
  • Scope will not change materially after testing commences without a signed Change Order;
  • Client's infrastructure will be reasonably stable during the testing window;
  • All third-party hosting and cloud provider authorizations have been obtained prior to the start date;
  • Additional assumptions:  
⚠️ Attorney Review Recommended This SOW is a template. Review by qualified legal counsel is recommended before execution.

Signatures

This Statement of Work is incorporated into the Master Service Agreement and is binding upon execution. By signing, Client confirms in-scope assets are owned or lawfully controlled by Client and authorizes Cynetix to perform the services described herein.

Cynetix LLC

Client

Cynetix LLC — Statement of Work — CYN-SOW v2.1 Confidential