Which document outlines acceptance criteria and deliverables for a penetration testing engagement?

Defining what will be delivered and how it will be judged is handled by the Statement of Work. The SOW explicitly lays out the engagement’s objectives, scope, and the acceptance criteria and deliverables, so both client and tester know what success looks like and what will be delivered at the end. This document functions as the formal agreement between the parties, outlining what the penetration test will cover, the format and content of the final report, any interim artifacts, and the timeline. The acceptance criteria specify how the deliverables will be evaluated and signed off, ensuring there’s a clear standard for completion. Deliverables typically include the final findings report, an executive summary, evidence artifacts, risk ratings, and a remediation roadmap or plan, along with any required retest results. Others focus on different aspects: a nondisclosure agreement protects confidentiality, not the scope or outputs; a Written Authorization to Test grants permission but doesn’t define what will be delivered or how acceptance is determined; a Change Request handles modifications during the project, not the initial agreement on deliverables and acceptance criteria. Because the SOW directly defines both what will be produced and how success is measured, it’s the document that best governs the engagement’s deliverables and acceptance.