Which of the following is the MOST important document to finalize first before proceeding with the penetration testing exercise?

The essential idea is to have explicit permission in writing before any testing begins. A Written Authorization to Test gives legal clearance to probe the systems, clearly defines what is in scope, what techniques are allowed, and when the activity can occur, plus how results and data will be handled. This protects both you and the client by making the engagement legitimate and bounded, reducing legal risk and guiding escalation if anything out of scope happens. Other documents have important roles—an SOW outlines deliverables, an NDA protects confidentiality, and a Project Charter sets aims and governance—but they do not authorize the actual testing or specify the exact boundaries. Finalizing the authorization first ensures you have a legally sound and clearly defined scope before any assessment starts.