| Authorization | Description |
| Written Consent | Written consent should be obtained from the organization or individual who owns the system or application being tested. This consent protects the penetration tester and ensures that all parties are aware of the testing activities. |
| Scope of Authorization | The authorization should explicitly state the extent and limitations of the testing. It should detail what is permitted, such as the types of attacks, the time frame for testing, and any specific areas that are off-limits. |