Sophos Penetration Testing – Service Description

This Service Description describes Penetration Test service ("Service"). All capitalized terms in this Service Description have the meaning ascribed to them in the Agreement (defined below) or in the Definitions section below.

This Service Description is part of and incorporated into, as applicable: (i) Customer's or Managed Service Provider's ("MSP") manually or digitally‐signed agreement with Sophos covering the purchase of a Service; (ii) MSP's manually or digitally-signed agreements with Sophos covering its purchase of Offerings of which the Service is a part; or (iii) if no such signed agreement exists, then this Service Description will be governed by the terms of the Sophos End User Terms of Use posted at https://www.sophos.com/legal (collectively referred to as the "Agreement"). To the extent there is a conflict between the terms and conditions of the Agreement and this Service Description, the terms and conditions of this Service Description will take precedence.

Notwithstanding anything to the contrary in the Agreement, Customer/MSP acknowledges and agrees that: (i) Sophos may modify or update the Service from time to time without materially reducing or degrading its overall functionality without notice to Customer/MSP; and (ii) Sophos may modify or update this Service Description at any time to accurately reflect the Service being provided, and any updated Service Description will become effective upon posting to https://www.sophos.com/legal.

I. DEFINITIONS

"Asset(s)" is any physical or virtual system or networks that are the targets or subjects of penetration testing in accordance with this Service Description.

"Remote Testing Appliance" or "RTA" refers to a virtual machine that enables Sophos to establish a secure presence on the Customer's/MSP's internal network in support of Internal Test conducted remotely.

"Security Services Team" means the Sophos team conducting penetration testing and providing remediation recommendations.

"Service Coordinator" means the Sophos personnel responsible for managing the overall Service engagement lifecycle, including stakeholder coordination, action prioritization, cross-functional alignment, and communication. The Service Coordinator serves as the primary liaison between the Customer/MSP and Security Services Team to ensure timely, aligned, and in-scope Service delivery.

"Test" or "Testing" means penetration testing of internal and/or external networks or environments, as applicable. A penetration test of an internal network or environment is referred to as an "Internal Test" or "Internal Testing," and a penetration test of an external network or environment is referred to as an "External Test" or "External Testing."

II. DESCRIPTION OF SERVICE

The Service simulates real-world attacks to identify and validate security weaknesses in Customer/MSP systems and networks that may not be detected through standard vulnerability assessments. The Service is offered in Extra Small (for External Testing only), Small, Medium, and Large tiers, based on the number of Assets included in Internal and/or External Tests. Sophos will deliver the Service as defined in this Service Description, with the applicable scope determined by the tier purchased and specified in the relevant Schedule.

All Service elements are delivered remotely unless Customer/MSP requests onsite engagement in which case Sophos will provide the Service pursuant to Onsite Service Engagement under Section IV below.

1. Service Initiation. Service delivery commences with a series of staging and introductory sessions with Customer/MSP to cover the following:

   • Service objectives and scope, including Assets to be covered by Service
   • Rules of engagement for Service delivery, levels of effort, and risk acceptance
   • Timelines and schedules for Service delivery, including all Customer/MSP prerequisites and technical requirements
   • Reporting requirements, timelines, and escalation paths
   • Key personnel, roles and responsibilities, and emergency planning
   • Sophos source IP address ranges, tools, and techniques to be used for Service delivery

   
   Following these sessions, Sophos will send a confirmation email summarizing agreed parameters for the above listed items. Customer/MSP must provide written confirmation of such parameters as a precondition to Service delivery. Customer/MSP is responsible for completing all required pre-testing tasks (including providing IP addresses for the Assets to be covered by the Service, configuring remote connectivity, and ensuring all applicable prerequisites are met) prior to the start of Service. Security Services Team may provide guidance, but timely completion of these tasks remains the sole responsibility of Customer/MSP.

2. Customer/MSP Testing Readiness Requirements. As a precondition to Service delivery, Customer/MSP must meet the following requirements prior to Testing

   1. RTA Deployment. For remote Internal Testing, Customer/MSP must download RTA (via a Sophos provided download link) and deploy it to applicable source network(s), complete configuration tasks in accordance with Sophos's direction, and meet all applicable technical requirements, including but not limited to:

      • Providing (i) a suitable hypervisor that supports OVA, OVF, or VMX virtual machine images, and (ii) a minimum of 2 virtual CPUs, 4GB RAM, and 32GB hard disk space per RTA virtual machine
      • Providing access to Customer/MSP technical personnel for troubleshooting
      • Assisting Sophos with the proper placement of the RTA, and provide the necessary network connectivity to enable service delivery
      • Ensuring outbound internet connectivity to the Sophos testing environment (encrypted SSL VPN over port 443).
         

      Note: At no point can a direct connection be initiated to the RTA from outside Customer/MSP network. All outbound connections are initiated by Customer/MSP, from within the virtual machine, to the Sophos secure testing facilities.

   2. Testing Access Enablement. Customer/MSP must (i) timely inform its personnel and third parties of Sophos's Testing activities as needed, to prevent disruption to Sophos business and performance of the Service (e.g., takedown requests, ISP blacklisting); and (ii) whitelist Sophos's source testing addresses and domains in any active security devices such as Network Access Control (NAC), Intrusion Prevention System (IPS), or a Web Application Firewall (WAF)
   3. Service Completion Timeframe. Customer/MSP acknowledges and accepts that Sophos must complete Service delivery within twelve (12) months of the Service purchase date. As such, Customer/MSP is solely responsible for taking all actions, and meeting all prerequisites, readiness, and enablement requirements necessary to allow Sophos to complete Service delivery within the twelve (12) months. Any failure by Customer/MSP to do so will result in expiration of the Service without refund, and Sophos will have no further obligation to perform.
3. Service Delivery:
   1. Service Coordinator. Sophos will assign a dedicated Service Coordinator to support Service delivery. Service Coordinator will coordinate with Security Services Team and Customer/MSP to (i) develop delivery timeline; (ii) identify and address issues or concerns that impact Service delivery; (iii) provide periodic updates on progress; and (iv) confirm in-scope Service delivery and Service completion.

   2. Service Scope.
      Internal Penetration Test: By default, all Assets connected to internal network will be treated as in scope unless Customer/MSP expressly excludes them in writing prior to commencement of Service delivery.
      External Penetration Test: Service scope is limited to the Customer/MSP defined or confirmed Assets or network ranges. Any changes must be mutually agreed in writing in advance and may require additional purchase(s), if the changes exceed the scope of the original Service tier purchased by Customer/MSP.

   3. Testing Methodology: Sophos will apply a multi-phase testing methodology to perform Tests, combining industry best practices with its expertise as specified below. Unless otherwise noted, the methodologies set forth below applies to both External and Internal Tests.

      Network Discovery
      Sophos performs port-scans of the provided IP ranges to identify live hosts. Activities may include:

      • Scanning IP ranges to identify commonly used TCP ports
      • Identifying certain applications and potential version information through banner grabbing
         

      For External Tests, scan data is provided in the Final Report (defined in Section 5 below) after testing is complete, detailing live hosts and open ports. Port-scan data is not included with Internal Test in the Final Report.

      Network Services Enumeration
      Sophos interrogates network services to determine additional information about Customer network that could lead to compromise. Examples include the following: 

      • DNS host lookups, brute-force zone transfers, and DNS relays
      • SNMP-based operating system, software, network, and user enumeration
      • SMTP open mail relays and user enumeration
      • NetBIOS/SMB and LDAP domain policy disclosure and enumeration
      • Service banners identifying exploitable software
      • Web server testing for weak/default credentials and upload vulnerabilities
      • Detection of unknown or hidden services that may serve as backdoors
         

      Network Services Exploitation
      Sophos will use information from "Network Services Enumeration" to attempt compromise of network services. Examples of techniques used include the following:

      • Brute-forcing password-protected services
      • Exploiting authentication bypass vulnerabilities
      • Targeting outdated or unpatched services with known exploits
      • Identifying and exploiting network backdoors

      
      Note: Use of captured credentials, while not a software vulnerability, is a common vector of attack. Use of captured credentials and publicly disclosed password dumps are considered in-scope for Testing. The password spraying activities are limited for the Extra Small tier. The use of any exploits that present a high risk of impacting Customer/MSP services will be reviewed and agreed with Customer/MSP prior to use.

      Post Exploitation and Lateral Movement
      Sophos will attempt to identify compromise vectors for the wider network and domain infrastructure. The following techniques may be used to show the impact of compromise from earlier phases:

      • Exploiting domain trusts, network routes, and bridged networks exposed by compromised systems
      • Evading antivirus and end-point protection on compromised systems, further exploiting compromised hosts without detection
      • Retrieving additional network and domain passwords and elevating privileges to achieve Domain Administrator or root-level access
      • Using gathered credentials and access tokens to compromise additional systems
      • Searching for business-critical data
         
4. Quality Assurance. Upon completion of Testing, Sophos may conduct a limited follow-up test for up to three additional weeks ("Validation Period"), to validate findings or investigate issues identified during Testing. Customer/MSP must continue to meet all requirements and obligations during the Validation Period.

5. Service Completion and Final Report. After the conclusion of the Validation Period, Sophos will deliver a the formal final report detailing methodologies used to conduct the Testing, key findings related to security posture, prioritization of vulnerabilities based on impact to the Customer/MSP and remediation recommendations ("Final Report") to the Customer/MSP-designated point of contact via encrypted email or other secure means. Customer/MSP must review the Final Report and provide any comments to Sophos within one (1) week of delivery. If the Customer/MSP does not respond within this period, the Final Report will be deemed accepted, and the Service will be deemed complete. Customer/MSP must securely remove any RTA virtual hosts upon completion of the Services.

6. Remediation Validation. Upon written request, Sophos will conduct one (1) remediation validation ("RV") limited to high- and critical-severity vulnerabilities identified in the Final Report. Customer/MSP is responsible for remediating such vulnerabilities and must (i) submit the RV request in writing to the designated Sophos contact within thirty (30) days of Final Report delivery, and (ii) ensure the RV is completed within ninety (90) days of Test completion.

   • For External Tests, findings from pivoting to internal network or post-exploitation are excluded from RV.
   • For Internal Tests, RV is available only if the initial test was conducted remotely using RTA.

   
   After performing the RV, Sophos will provide a written summary confirming whether the Customer/MSP successfully remediated the identified issues.

III. SERVICE DELIVERY HOURS

Testing is conducted remotely Monday through Friday, 8:00 a.m. to 6:00 p.m. (U.S. Eastern Time). Sophos will use reasonable efforts to align its testing hours with the Customer's scheduling requirements, subject to resource availability. Any on-site work is conducted Monday through Friday, 8:00 a.m. to 6:00 p.m. (Customer's local time) or during comparable daytime hours. If Customer/MSP requests work outside of these standard hours, Customer/MSP is responsible for all associated additional service charges.

Notwithstanding the above, to simulate real-world threat actors, Testing may occur at any time during the Service delivery period at Sophos' discretion.

IV. ONSITE SERVICE ENGAGEMENT

If Customer/MSP requests onsite Service delivery and Sophos accepts, Sophos will provide a written estimate of anticipated costs and travel time for Customer/MSP to review and to approve. Unless Customer/MSP requests actual billing of travel costs, Sophos will invoice in advance based on the approved estimate.

If actual billing is requested, Sophos will invoice following Service completion in accordance with the categories below: The Customer/MSP shall be responsible for the following two categories of costs for actual billings:

1. Actual Expenses: These include all reasonable and necessary out-of-pocket costs incurred in connection with the onsite engagement, such as round-trip airfare (economy for flights under 4 hours, economy plus for 4 to 8 hours, and business class for over 8 hours); round-trip train travel (economy class for trips under 6 hours and business class for over 6 hours); fuel costs (if driving), hotel accommodations; meals and incidental expenses; ground transportation (e.g., taxi, ride-share, or rental car), visa or entry documentation; and any applicable taxes or fees.

2. Standby Time: Any time spent by Sophos personnel onsite or on standby due to Customer/MSP's failure to provide timely access, information, or readiness to begin the engagement will be billable at the standard hourly rate applicable to the Service, up to eight (8) hours per day per person assigned to onsite Service engagement.

   No travel will commence, and no travel-related costs shall be incurred, unless and until the Customer/MSP approves the estimate in writing.
   
   Customer/MSP Obligations for Onsite Engagement: Customer/MSP must take the following actions to facilitate and enable delivery of the Service onsite:

   • Arrange all required site access, entry authorizations, and security clearances in advance of the engagement, including after-hours access if necessary.
   • Provide timely access to all systems, environments, infrastructure, and personnel identified in the agreed scope.
   • Respond promptly to Sophos requests for information, documentation, and decisions necessary to support the engagement.
   • Obtain all approvals and permissions for tools, software, or access mechanisms used by Sophos during the engagement.
   • Provide suitable workspace, including power, network connectivity, and required physical or virtual system access.
   • Ensure attendance of designated stakeholders at all scheduled updates, technical briefings, and post-engagement reviews.
   • Comply with all applicable health, safety, and security protocols to ensure a safe working environment
      

V. CUSTOMER/MSP RESPONSIBILITIES

Customer/MSP acknowledges and agrees that, in addition to the actions identified in Section II above, Customer/MSP must promptly take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer/MSP's failure to do so. Sophos reserves the right to suspend Service delivery until such time as Customer/MSP performs the required actions. Failure to complete the required actions after written notice from Sophos (including email notice from the Security Services Team to the Customer/MSP designated contacts) shall constitute a material breach by Customer/MSP of the Agreement.

1. Customer/MSP Personnel. Customer/MSP must identify an appropriate number of suitably skilled personnel who will work with Sophos during the provisioning of the Service. Customer/MSP's identified personnel must have the necessary technical and business knowledge and authority to make decisions concerning the Service.
2. System Access. Customer/MSP will timely provide to Sophos all required access to Assets and necessary administrative credentials/privileges to enable Sophos to perform the Service. Additionally, Customer's/MSP's scheduled interruptions and maintenance windows must provide sufficient time for Sophos to perform the Service.
3. Timely Response. Customer/MSP must promptly acknowledge receipt of Sophos communications in writing (via email or other agreed method) and must timely respond to Sophos's requests and timely perform required tasks.
4. Authority and Indemnification. Customer/MSP is responsible for obtaining all necessary permissions and consents to enable the Security Services Team to access all relevant Assets or systems, including third-party permissions as required. Customer/MSP represents and warrants that it has the necessary right, title, license, and authority for Customer/MSP to provide and/or facilitate Sophos's access to Asset(s), including any information, data, networks, and systems, in connection with the Service delivery. Customer/MSP agrees to indemnify, defend, and hold Sophos harmless from and against any and all claims, losses, liabilities and damages, including reasonable attorney's fees, arising from (i) any and all third party claims brought against Sophos that arise out of the scanning, testing and/or evaluation of incorrect or unauthorized Asset that are provided by Customer/MSP, or (ii) any breach of a Customer/MSP representation or warranty.
5. Actions Outside the Scope of Service. All activities that are not expressly provided in this Service Description are outside the scope of the Service. Customer/MSP is solely responsible and liable for (i) taking any actions that are outside of the scope of the Service (e.g., Sophos's suggestions regarding patching and vulnerability remediation; all litigation and e-Discovery support, including responding to discovery requests or subpoenas; collaboration with law enforcement, etc.); and (ii) any actions that Sophos performs under Customer's/MSP's specific direction that are not otherwise provided in this Service Description.
6. Actions Taken by Partners. Customer may allow Partners to take certain actions within the scope of the Service on Customer's behalf, in which case Customer is responsible for all actions or omissions of such Partner. Sophos will not be liable for Partners' actions or omissions
7. MSP Additional Responsibilities. MSP is solely responsible for: (i) obtaining any consents or information required from its Beneficiaries in order for Sophos to perform the Service, (ii) ensuring that Beneficiaries take all actions required of Customers in this Service Description; (iii) ensuring that its Beneficiaries understand the risks associated with performance of this Service, and (iv) that any Beneficiary for which MSP performs this Service has agreed to accept all such risks. MSP will indemnify and hold Sophos harmless for any claim brought against Sophos by a Beneficiary if such claim results, in whole or in part, from MSP's failure to fully perform its obligations under this Service Description or the Agreement with respect to the Service.

VI. ADDITIONAL TERMS

1. Service Exclusion. Customer/MSP agrees and acknowledges that Sophos will not be liable or be considered in breach of this Service Description or the Agreement (including any applicable SLA): (i) due to any delay or failure to perform its obligations hereunder as a result of industry or infrastructure wide ransomware, cyberwarfare or other cyberattacks that causes Security Services Team to be unable to provide resources to address any aspect of a Service in a timely manner; (ii) due to unforeseen circumstances or to causes beyond Sophos reasonable control including but not limited war, strike, riot, crime, acts of God, or shortage of resources; (iii) due to legal prohibition, including but not limited to, passing of a statute, decree, regulation, or order; (iv) during any period of Service suspension by Sophos in accordance with the terms of the Agreement; (v) if Customer/MSP is in breach of the Agreement (including without limitation if Customer/MSP has any overdue invoices); or (vi) during any scheduled or emergency maintenance windows.
2. Service Capabilities. Customer/MSP agrees and acknowledges while Sophos has implemented commercially reasonable technologies and process as part of the Service, Sophos makes no guarantee that the Service, or Sophos's recommendations and plans made by Sophos as a result of that Service, will result in the identification, detection, containment, eradication of, or recovery from all of threats, vulnerabilities, malware, or other malicious threats. Customer/MSP shall not represent to anyone that Sophos has provided such a guarantee or warranty.
3. Service Impact. Customer/MSP acknowledges that Service provision described may result in service interruptions or degradation of Customer/MSP systems and accepts those risks and consequences. Customer/MSP further acknowledges that it is solely responsible for restoring its network and computer systems to a secure configuration after Sophos completes testing.
4. Record Retention. Sophos will retain a copy of the Final Report in accordance with its record retention policy. If Customer/MSP requires retention beyond this period, Customer/MSP must provide an advanced request in writing specifying the period and will bear all costs for additional storage.
5. Legal Proceedings. If Customer/MSP knows or reasonably believes that Sophos or its personnel performing the Services may be subject to any court order, administrative process, or governmental proceeding (e.g., subpoena, search warrant, discovery request) requiring a response or testimony, Customer/MSP shall (i) promptly notify Sophos unless legally prohibited, (ii) use commercially reasonable efforts to minimize the associated burden, and (iii) reimburse Sophos for all reasonable costs and expenses incurred, including employee time, attorneys' fees, and travel. This obligation shall not apply to legal actions between Customer/MSP and Sophos relating to the Service.

Revision Date: 5 December 2025