Pentesting as a service: legal framework and contract design

The demand for professional penetration tests (pentests for short) is growing steadily as companies place increasing importance on IT security. More and more companies are realizing that protecting sensitive data and systems is no longer just an option, but an indispensable part of a holistic corporate strategy. Pentesting service providers therefore play a crucial role in identifying potential vulnerabilities and proposing concrete measures to eliminate them. However, white-hat hackers or IT security consultants should not only view their activities from a technical perspective, but also create a solid legal basis to protect all parties involved from potential risks.

In Germany, there is a whole range of legal standards that must be observed when carrying out pentests. Even minor violations can lead to serious consequences – for both the tester and the client. For this reason, a watertight contract is essential in order to regulate liability issues and create transparency regarding the exact scope of services. In addition to aspects such as limitations of liability and confidentiality obligations, topics such as data protection and compliance also play a central role. This ensures that the collaboration between service provider and client is built on a stable foundation from the outset.

In addition, the increasing complexity of modern IT systems requires careful planning of pentests. Tests often involve not only internal networks or web applications, but also hybrid infrastructures, cloud services or specialized industry-specific platforms. International standards such as ISO 27001 or the BSI IT baseline protection compendium provide points of reference here, and compliance with them is often even assumed by the client. Careful coordination with the client is therefore essential to ensure that all processes comply with legal requirements and company guidelines.

Legal basis of pentests

Penetration tests can essentially be understood as targeted checks of IT systems with the primary aim of uncovering security vulnerabilities. Pentesters slip into the role of potential attackers in order to identify both technical and organizational vulnerabilities. Companies that commission such tests want to minimize the risk of cyberattacks and increase the maturity of their security measures.

Despite being explicitly commissioned, the pentester’s actions can quickly fall into a legal gray area. Unauthorized intrusion into third-party systems is regulated in Germany in §§ 202a ff. of the German Criminal Code (StGB) and § 303b StGB. Even if the client has given their consent, this must be included in writing in the contract in order to avoid any subsequent ambiguities. A breach of these criminal provisions can have considerable consequences and may also trigger civil law claims for damages.

Another important point is data protection requirements. As soon as personal data is processed during testing activities, the GDPR applies. Article 28 GDPR stipulates that a data processing agreement (DPA) may need to be concluded in order to create the legal basis for data processing. This applies in particular if pentesters access data that allows conclusions to be drawn about natural persons, such as employee or customer data. Appropriate technical and organizational measures must be taken here to ensure that only the minimum necessary data is processed and that no sensitive information is collected without authorization.

Another legal hurdle is the potential disruption to ongoing business processes. If the attack simulations lead to system failures or data loss, this can quickly result in downtime that causes considerable economic damage. Such scenarios often lead to civil law disputes or insurance claims if the scope of liability and the question of possible negligence have not been contractually clarified. This makes it all the more important to precisely define the scope of the pentest and to clearly regulate in advance which measures are permitted and at what times they may be carried out.

Drafting contracts for pentests

A solid contract is the cornerstone of a legally compliant pentest implementation. Ideally, the collaboration should begin with a detailed agreement in which all parties involved clarify the objective of the pentest and which resources may be used. This prevents the tester from going beyond the agreed scope and inadvertently causing damage or accessing data that was not intended for the test.

Contracts should therefore precisely define which systems, networks or applications are to be tested. The type of test – such as a black box, white box or grey box approach – should also be specified. This not only has an impact on the tester’s approach, but also allows a more precise assessment of the time required and the potential risks. At the same time, details of the methodology or specific attack techniques (e.g. SQL injection, social engineering tests or automated tools) should be clarified so that the customer knows exactly which procedures will be used.

In addition, it is advisable to specify in the contract whether external service providers or subcontractors are involved. In larger projects in particular, the pentester may commission specialists for certain sub-areas. Here too, responsibilities should be clearly defined so that there are no legal loopholes. Ultimately, stringent planning and contractual stipulations facilitate the pentest and create trust among all parties involved.

Regulations on documentation and rectification

Most clients want to receive detailed documentation after completing a pentest in order to understand the weaknesses and potential risks found. A clearly structured report that not only lists the weaknesses but also sets priorities and makes specific recommendations for action is therefore essential. Ideally, this report should also be supplemented with management summaries so that decision-makers without in-depth IT knowledge can understand the results.

A rectification phase or a so-called “re-test” can also be part of the contract. Here, the pentesters check in a separate run whether the previously identified gaps have been closed or whether new weaknesses have arisen. It is important to set clear deadlines so that it is clear in which time window the improvements are to be carried out. This kind of structured documentation and rectification not only increases the quality of the pentest, but also achieves a sustainable security gain for the company.

Insurance cover and liability issues

Pentesting can have far-reaching consequences for the system integrity of a company. Particularly when sensitive systems are being tested, a failure can result in expensive production stoppages, contractual penalties or disgruntled customers. In such cases, it is advisable to take out professional indemnity insurance that covers such scenarios. A carefully drafted scope of insurance creates additional security for both parties and shows that the pentester is acting professionally and responsibly.

The contract should also clearly define the cases in which liability for damages is excluded or limited. A typical formulation is the limitation of liability to intentional or grossly negligent acts. The question of whether consequential damages or loss of profit are recoverable should also be clarified in advance. Such regulations avoid disputes and enable a fair distribution of risk. Ideally, internal escalation levels should also be defined so that disagreements can be resolved before a legal dispute arises.

Further aspects: Social engineering and compliance

One area that often gains importance in pentest contracts is social engineering. This is where testers attempt to obtain information from employees through phishing emails, fake calls or fake websites in order to penetrate company networks. While such tests are often very effective in checking the human element in security concepts, they can also be legally tricky if the consent of the employees or works councils concerned is not obtained. Clearly defined procedures and limits should therefore also be set out in the contract for social engineering tests.

The topic of compliance also plays a major role in many industries. Certain sectors, such as banking, insurance or healthcare, are subject to strict regulations regarding the handling of data or the type of security checks carried out. Here, it is important to determine in advance which standards and guidelines apply and how the pentest can be tailored to them. Close coordination with the client and its specialist departments ensures that the pentest does not violate internal or external rules and that the results can be used for future audits or certifications.

Conclusion

The legally compliant implementation of pentests requires a well thought-out concept, careful coordination with the client and a seamless contract design. Starting with the selection of suitable test methods and the definition of liability limits through to data protection issues, all points should be set out in clear agreements. Precise preparation prevents misunderstandings and creates the basis for successful collaboration.

It is particularly important that both parties define in advance exactly what goals are to be achieved with the test and what risks they wish to take. Good communication and transparency are essential to ensure that neither the company nor the pentester experience any unpleasant surprises. Especially in a highly dynamic environment such as IT security, it is advantageous to rely on the expertise of a lawyer who is familiar with the technical and legal particularities.

As a specialist in IT law and a passionate technology enthusiast, I can help draft contracts in such a way that they both meet the client’s requirements and are legally watertight. In this way, cyber risks are minimized and trust between all parties involved is strengthened. With my in-depth understanding of security processes and my legal advice, pentests can be carried out not only effectively but also in a legally compliant manner. The result is optimized IT structures, an improved security culture and the certainty of being protected from unforeseeable consequences in the event of an emergency.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.