When finalizing a penetration test report before delivery to a client, a technician should consult which document to ensure that all acceptance criteria are satisfied?

Finalizing a penetration test report hinges on making sure the delivery matches what was agreed with the client in the contract. The Statement of Work defines the scope, deliverables, timeline, and the acceptance criteria that determine whether the client will sign off. By consulting the SOW, the technician verifies that the report covers the in-scope assets, includes the required evidence, presents findings with appropriate risk ratings, provides remediation guidance, and follows the agreed format and schedule. This alignment prevents misinterpretation or missed expectations and gives a clear path to client acceptance and formal sign-off. The NDA protects confidentiality but does not govern acceptance criteria; a report template offers structure but not the contractual requirements or acceptance standards; a risk assessment focuses on identifying and prioritizing threats rather than the content and delivery criteria of the final report.