Service Level Agreement (SLA) & Terms of Service¶
RedPick Automated Penetration Testing Platform
1. Service Availability¶
1.1 Uptime Guarantee¶
BeDefended commits to 99.9% uptime for the dashboard and API: - Uptime Definition: Service available and responsive to authenticated requests - Downtime Exclusions: Scheduled maintenance (announced 48 hours in advance), customer-caused outages - Measurement: Calculated monthly; reported in customer portal
1.2 Maintenance Windows¶
- Scheduled: Sundays 02:00-04:00 UTC (2 hours max)
- Emergency: As-needed for security patches (notify customers within 1 hour)
- Frequency: Typically monthly
1.3 Service Credits (SLA Breach)¶
If monthly uptime < 99.9%:
| Uptime | Credit |
|---|---|
| 99.0% - 99.89% | 10% monthly fee |
| 98.0% - 98.99% | 25% monthly fee |
| < 98% | 50% monthly fee |
Process: Customer files claim within 30 days; verified + credited within 60 days.
2. Penetration Testing Deliverables¶
2.1 Testing Methodology¶
BeDefended follows OWASP Testing Guide v4.2 (OWTG) and NIST SP 800-115 framework.
6-Phase Methodology: 1. Phase 0: Context — Target fingerprinting, tech stack identification 2. Phase 1: Recon — Passive reconnaissance (DNS, WHOIS, historical archives) 3. Phase 2: Discovery — Active endpoint/API discovery, parameter enumeration 4. Phase 3: Scanning — Automated vulnerability scanning (nuclei, nikto) 5. Phase 4: Testing — 17 manual testing skills (injection, auth, access control, etc.) 6. Phase 5: Reporting — Verified findings, CVSS scoring, remediation guidance
2.2 Testing Coverage¶
| OWASP Category | BeDefended Coverage | Tool |
|---|---|---|
| Injection | SQL, NoSQL, Command, LDAP, SSTI, XXE | sqlmap, nuclei, custom scripts |
| Authentication | Session, JWT, OAuth, SAML, MFA bypass | Manual + burp |
| Access Control | IDOR, privilege escalation, authz | Manual testing |
| Sensitive Data | Encryption, transmission, storage | Manual + scanning |
| XML External Entities | XXE injection | nuclei templates |
| Broken Access Control | Testing all user roles | Custom matrixscan |
| Security Misconfiguration | Headers, TLS, cloud misconfigs | nuclei + cloud-specific tools |
| XSS | Stored, reflected, DOM-based | Nuclei, manual, selenium |
| Insecure Deserialization | Java, Python, .NET, PHP, Ruby | ysoserial, custom gadget chains |
| SSRF | Cloud metadata, internal service access | burp, manual testing |
| CSRF | Token validation, SameSite bypass | Manual testing |
| Using Components with Known Vulns | Dependency scanning, SBOM | Dependabot, trivy |
| Insufficient Logging & Monitoring | Error disclosure, debug mode detection | nuclei, manual |
| Broken Authentication | Credential stuffing, session fixation | hydra (auth only), manual |
| API Security | GraphQL injection, prototype pollution | Custom scripts, nuclei |
| Business Logic | Race conditions, workflow bypass | Manual testing |
2.3 Compliance Testing (Optional Add-ons)¶
- PCI-DSS 4.0: Specific requirements mapping (additional cost)
- HIPAA: PHI handling + specific controls (BAA required)
- GDPR: Data protection by design assessment
- SOC 2 Type II: Application security controls testing
3. Reporting & Turnaround¶
3.1 Engagement Phases & Timelines¶
| Phase | Duration | Deliverable |
|---|---|---|
| Scoping & Planning | 1 week | Engagement agreement + test plan |
| Testing | 1-4 weeks | Per engagement scope |
| Report Draft | 3 days | Initial findings (no verification) |
| Verification | 5 days | Confirm exploitability of each finding |
| Final Report | 2 days | Executive summary + detailed findings |
| Remediation Advise | 2 days | (Optional) Meet with development team |
Total Timeline: Typically 3-6 weeks (2-4 weeks testing + 2 weeks reporting/iteration)
3.2 Report Contents¶
Each finding includes: - Title & Description: What the vulnerability is - CVSS 4.0 Score + Vector: Severity assessment - Affected Component: URL, API endpoint, or system - Steps to Reproduce: Technical proof - Proof of Concept: Working curl command or screenshot - Impact Statement: Business risk (confidentiality/integrity/availability) - Remediation: Specific fix (not generic guidance) - CWE/OWASP References: Standards compliance
3.3 Findings Verification¶
Before reporting, BeDefended verifies every finding: 1. ✓ Reproduces the issue independently 2. ✓ Confirms it's not a false positive 3. ✓ Validates impact assessment 4. ✓ Tests remediation (if fix provided)
No finding reported without successful reproduction.
4. Scope & Exclusions¶
4.1 In-Scope Testing¶
- ✅ Vulnerabilities in custom code
- ✅ Misconfigurations (weak TLS, open S3 buckets, etc.)
- ✅ Authentication/Authorization flaws
- ✅ Business logic bypass
- ✅ Client-side vulnerabilities (XSS, CSRF)
- ✅ API security issues
4.2 Out-of-Scope (Unless Explicitly Requested)¶
- ❌ Known vulnerabilities in unpatched 3rd-party software (unless security bypass achieved)
- ❌ Physical security assessment
- ❌ Social engineering / phishing
- ❌ DDoS/Denial of Service testing
- ❌ Network penetration testing (outside web app scope)
- ❌ Mobile app testing (separate engagement)
4.3 Exclusions (Never Tested)¶
- ❌ Destructive Testing: No deletion of production data, no code modification, no resource exhaustion
- ❌ Account Lockout: No brute force attacks leading to account suspension
- ❌ Exfiltration: No mass data theft (may photograph one record for proof)
- ❌ Denial of Service: No sustained attacks to down systems
- ❌ Third-Party Systems: Testing confined to client's infrastructure only
5. Non-Destructive Testing Rules¶
5.1 SQL Injection¶
- ✓ Proof: Time-based, boolean-based, UNION-based (read-only queries)
- ✗ NO data deletion:
DROP,DELETE,UPDATE - ✗ NO data modification:
INSERT
5.2 Command Injection¶
- ✓ Proof:
id,whoami,hostname,uname -a - ✗ NO system commands: No file deletion, user creation, service restart
5.3 Cross-Site Scripting (XSS)¶
- ✓ Proof:
alert(document.domain),console.log('XSS') - ✗ NO malicious payload: Redirect to attacker site, credential theft
- ✓ Stored XSS cleanup: If stored payload left in system, automatically cleaned post-engagement
5.4 File Upload¶
- ✓ Proof: Upload benign test file (
.txt,.png), confirm execution - ✗ NO webshell left behind
- ✗ NO system compromise via upload
5.5 Authentication/Session¶
- ✓ Proof: Demonstrate token prediction/reuse
- ✗ NO account lockout (no brute force)
- ✗ NO credential theft (testing credentials only, provided by client)
6. Testing Tools & Techniques¶
6.1 Permitted Tools¶
Automated: - nuclei (YAML templates) - nikto (web server scanner) - sqlmap (SQL injection) - ffuf (fuzzing) - burp suite community (interception proxy)
Manual: - curl (HTTP requests) - Python/JavaScript (custom testing) - Browser developer tools
6.2 Tools Restricted (Require Written Approval)¶
- Metasploit: RCE exploitation (must be sandboxed, not production)
- Credential Stuffing Tools: (hydra) testing auth only with client-provided creds
- Nmap/Port Scanning: Outside app layer; limited to scoping phase
- Password Cracking: (hashcat) only on hashes extracted during testing
6.3 Tools Prohibited¶
- ❌ Ransomware, wiper tools, malware
- ❌ Zero-click RCE exploits (without explicit approval & testing sandbox)
- ❌ Tools designed for denial of service
- ❌ Data exfiltration tools (wget, scp, exfiltration-specific tools)
7. Rate Limiting & Safe Testing¶
7.1 Request Rate¶
- Discovery: ≤ 10 requests/second
- Fuzzing: ≤ 50 requests/second (or as specified in scope)
- Scanning: ≤ 5 concurrent threads
- If WAF triggers: Immediate pause, escalate to client
7.2 Rate Limit Handling¶
If target rate-limits requests: 1. First 429: Pause 5 minutes 2. Second 429: Pause 30 minutes 3. Third 429: Stop testing, notify client 4. No resumption without client approval
7.3 WAF Ban Handling¶
If IP banned by WAF: 1. Immediate pause (no retries) 2. Notify client: Request IP whitelist or change 3. Alternative: Rotate through proxy (if in scope) 4. Last resort: Continue from different network location (with client consent)
8. Client Responsibilities¶
8.1 Pre-Engagement¶
- [ ] Provide written authorization (scope document signed)
- [ ] Define testing window (dates/times safe to test)
- [ ] Identify emergency contacts (if something breaks)
- [ ] Notify hosting provider (if required by terms of service)
- [ ] Ensure production data is backed up before testing
8.2 During Engagement¶
- [ ] Monitor systems for issues
- [ ] Respond to emergency notifications within 1 hour
- [ ] Clarify unexpected behavior (is it a vulnerability or expected?)
- [ ] Provide API keys/test accounts if needed for deeper testing
8.3 Post-Engagement¶
- [ ] Review findings & provide feedback
- [ ] Implement remediation within reasonable timeframe
- [ ] Schedule retest to verify fixes (separate engagement)
9. Breach of Scope / Non-Compliance¶
9.1 If BeDefended Violates Scope¶
Client may: 1. Pause engagement immediately (no penalty) 2. Demand remediation (e.g., data cleanup) 3. Request replacement tester (new engagement) 4. Claim damages (per contract liability cap)
Liability Cap: Maximum of engagement fee (standard contract)
9.2 If Client Violates Scope¶
- Client provides authorization ONLY for the agreed scope
- If client asks to test systems outside agreement → requires written amendment
- Unauthorized testing → engagement terminates, no refund
10. Compliance & Legal¶
10.1 Data Handling¶
- ✓ All findings encrypted at rest (AES-256)
- ✓ Report transmission via TLS 1.3
- ✓ Data deleted per contract (1 year retention, then purged)
- ✓ GDPR/HIPAA/PCI-DSS compliance per engagement type
10.2 Insurance¶
BeDefended maintains: - Professional Liability Insurance: $2M USD - Cyber Liability Insurance: $5M USD - E&O Insurance: Errors & Omissions coverage
10.3 Dispute Resolution¶
- Good Faith Negotiation: 30 days before escalation
- Arbitration: Per engagement contract (jurisdiction specified)
- No Class Action: Individual claims only
- Statute of Limitations: 2 years after engagement completion
11. Service Credits & Refunds¶
11.1 Quality Guarantee¶
If BeDefended engagement fails to meet quality standards: - Report incomplete: 50% refund - Too many false positives: 25% refund + remediation at no charge - Finding unverifiable: Finding removed; 10% refund for each invalid finding
11.2 Refund Process¶
- Customer submits complaint with evidence
- Internal review within 14 days
- Credit applied to account or refund issued
12. Limitations of Penetration Testing¶
12.1 Testing Limitations¶
- Time-bounded: Comprehensive testing not possible in limited timeframe
- Sample-based: Not every endpoint/parameter tested (risk-based selection)
- Known techniques only: Zero-day vulnerabilities may not be discovered
- Point-in-time: Finding accurate at report date; new vulns may exist post-engagement
12.2 False Positive Rate¶
- Target: ≤ 5% false positive rate
- All findings verified before reporting
- If false positive found post-report: Corrected in retest at no charge
12.3 False Negative Risk¶
- Complete security cannot be guaranteed
- Vulnerabilities may exist outside testing scope
- Continuous monitoring/periodic retesting recommended
13. Changes to Terms¶
- 30-day notice: Changes announced via email + dashboard notification
- Effective: Changes take effect for new engagements immediately, existing engagements proceed under original terms
- Objection: Customer may terminate engagement before change takes effect (no early termination fee)
Contact¶
Support: support@bedefended.com | Escalation: abuse@bedefended.com
Document Version: 1.0 | Effective: 2026-03-17 | Next Review: 2027-03-17