Sophos Wireless Penetration Testing – Service Description

This Service Description describes Wireless Network Penetration Test service (“Service”). All capitalized terms in this Service Description have the meaning ascribed to them in the Agreement (defined below) or in the Definitions section below.

This Service Description is part of and incorporated into, as applicable: (i) Customer’s or Managed Service Provider’s (“MSP”) manually or digitally‐signed agreement with Sophos covering the purchase of a Service; (ii) MSP’s manually or digitally-signed agreements with Sophos covering its purchase of Offerings of which the Service is a part; or (iii) if no such signed agreement exists, then this Service Description will be governed by the terms of the Sophos End User Terms of Use posted at https://www.sophos.com/legal (collectively referred to as the “Agreement”). To the extent there is a conflict between the terms and conditions of the Agreement and this Service Description, the terms and conditions of this Service Description will take precedence.

Notwithstanding anything to the contrary in the Agreement, Customer/MSP acknowledges and agrees that: (i) Sophos may modify or update the Service from time to time without materially reducing or degrading its overall functionality without notice to Customer/MSP; and (ii) Sophos may modify or update this Service Description at any time to accurately reflect the Service being provided, and any updated Service Description will become effective upon posting to https://www.sophos.com/legal.

I. DEFINITIONS

“Asset(s)” is any wireless networks and any associated wireless clients that are the targets or subjects of penetration testing in accordance with this Service Description.

“Location” means a single physical floor within a building where Assets are subjects to Testing under this Service Description. Each additional floor constitutes a separate Location and must be separately scoped and purchased.

“Security Services Team” means the Sophos team conducting penetration testing and providing remediation recommendations.

“Service Coordinator” means the Sophos personnel responsible for managing the overall Service engagement lifecycle, including stakeholder coordination, action prioritization, cross-functional alignment, and communication. The Service Coordinator serves as the primary liaison between the Customer/MSP and Security Services Team to ensure timely, aligned and in-scope Service delivery.

“Test” or “Testing” means penetration testing of Asset(s).

“Wireless Remote Testing Appliance” or “wRTA” refers to a hardware device that enables Sophos to establish a secure presence on the Customer’s/MSP’s Asset(s) in support of Test conducted remotely.

II. DESCRIPTION OF SERVICE

The Service assesses the security posture of Assets within a covered Location by identifying and exploiting vulnerabilities, misconfigurations, and weaknesses. Sophos will deliver the Service as defined in this Service Description, with the applicable scope determined by the tier purchased and specified in the relevant Schedule.

All Service elements are delivered remotely unless Customer/MSP requests onsite engagement in which case Sophos will provide the Service pursuant to Onsite Service Engagement under Section IV below.

  1. Service Initiation. Service delivery commences with a series of staging and introductory sessions with Customer/MSP to cover the following:
    • Service objectives and scope, including Assets to be covered by Service
    • Rules of engagement for Service delivery, levels of effort, and risk acceptance
    • Timelines and schedules for Service delivery, including all Customer/MSP prerequisites and technical requirements
    • Reporting requirements, timelines, and escalation paths
    • Key personnel, roles and responsibilities, and emergency planning
    • Sophos source IP address ranges, tools, and techniques to be used for Service delivery

Following these sessions, Sophos will send a confirmation email summarizing agreed parameters for the above listed items. Customer/MSP must provide written confirmation of such parameters as a precondition to Service delivery. Customer/MSP is responsible for completing all required pre-testing tasks (including specifying the Assets and the Location to be covered by the Service, configuring remote connectivity, and ensuring all applicable prerequisites are met) prior to the start of Service. Security Services Team may provide guidance, but timely completion of these tasks remains the sole responsibility of Customer/MSP.

  1. Customer/MSP Testing Readiness Requirements. As a precondition to Service delivery, Customer/MSP must meet the following requirements prior to Testing:
    1. wRTA Deployment. For remote Testing, Customer/MSP must deploy the wRTA (shipped from Sophos) to applicable location(s), complete configuration tasks in accordance with Sophos’s direction, and meet all applicable technical requirements, including but not limited to:
      • Providing a suitable fixed location that provides access to the Assets
      • Providing access to Customer/MSP technical personnel for troubleshooting
      • Assisting Sophos with the proper placement of the RTA, ensuring outbound internet connectivity to the Sophos testing environment via the included cellular modem (encrypted SSL VPN over port 443)
    2. Testing Access Enablement. Customer/MSP must (i) timely inform its personnel and third parties of Sophos’s Testing activities as needed, to prevent disruption to Sophos business and performance of the Service (e.g., takedown requests, ISP blacklisting); and (ii) whitelist Sophos’s source testing addresses and domains in any active security devices such as Network Access Control (NAC), Intrusion Prevention System (IPS), or a Web Application Firewall (WAF).
    3. Service Completion Timeframe. Customer/MSP acknowledges and accepts that Sophos must complete Service delivery within twelve (12) months of the Service purchase date. As such, Customer/MSP is solely responsible for taking all actions, and meeting all prerequisites, readiness, and enablement requirements necessary to ensure Sophos can complete Service delivery within the twelve (12) months. Any failure by Customer/MSP to do so will result in expiration of the Service without refund, and Sophos will have no further obligation to perform.
  2. Service Delivery:
    1. Service Coordinator. Sophos will assign a dedicated Service Coordinator to support Service delivery. Service Coordinator will coordinate with Security Services Team and Customer/MSP to (i) develop delivery timeline; (ii) identify and address issues or concerns that impact Service delivery; (iii) provide periodic updates on progress; and (iv) confirm in-scope Service delivery and Service completion.

    2. Testing Methodology. Sophos will apply a structured and iterative methodology that examines network architecture, system configurations, and processes affecting the protection of wireless Assets from unauthorized access. Testing activities include detection, analysis, and attempted compromise of Assets to demonstrate realistic attack scenarios.

      For Testing of wireless clients, Sophos a may establish rogue access points to coerce client connections and demonstrate compromise risks on corporate premises and in public environments where compromised devices may later reconnect to the Customer’s network.

      Testing activities will follow a two-phase approach:

      1. Passive Assessment – Monitoring wireless traffic to identify weaknesses, misconfigurations, or insecure protocols.
      2. Active Exploitation (if necessary) – Attempting to compromise the wireless network by breaking encryption keys, impersonating access points to capture user credentials, or bypassing defensive mechanisms.


      Service may include assessment of the following:

      • Encryption key vulnerabilities (e.g., WEP, WPA)
      • Wireless security architecture and configuration flaws
      • Effectiveness of defensive measures (e.g., access controls, segmentation etc.)
      • Client device and user vulnerabilities (e.g., weak authentication or insecure wireless behaviors
  3. Quality Assurance. Upon completion of Testing, Sophos may conduct a limited follow-up test for up to three additional weeks (“Validation Period”), to validate findings or investigate issues identified during Testing. Customer/MSP must continue to meet all requirements and obligations during the Validation Period.
  4. Service Completion and Final Report. After the conclusion of the Validation Period, Sophos will deliver the formal final report detailing methodologies used to conduct the Testing, key findings related to security posture, prioritization of vulnerabilities based on impact to the Customer/MSP and remediation recommendations (“Final Report”) to the Customer/MSP-designated point of contact via encrypted email or other secure means. Customer/MSP must review the Final Report and provide any comments to Sophos within one (1) week of delivery. If the Customer/MSP does not respond within this period, the Final Report will be deemed accepted, and the Service will be deemed complete. Customer/MSP must return the wRTA device(s) to Sophos within one (1) week of Service completion. If the Customer/MSP fails to do so, Sophos will invoice the Customer/MSP for the cost of the wRTA device(s).

 III. SERVICE DELIVERY HOURS

Testing is conducted remotely Monday through Friday, 8:00 a.m. to 6:00 p.m. (U.S. Eastern Time). Any on-site work is conducted Monday through Friday, 8:00 a.m. to 6:00 p.m. (Customer’s local time) or during comparable daytime hours. If Customer/MSP requests work outside of these standard hours, Customer/MSP is responsible for all associated additional service charges.

Notwithstanding the above, to simulate real-world threat actors, Testing may occur at any time during the Service delivery period at Sophos’ discretion.

IV. ONSITE SERVICE ENGAGEMENT

If Customer/MSP requests onsite Service delivery and Sophos accepts, Sophos will provide a written estimate of anticipated costs and travel time for Customer/MSP to review and to approve. Unless Customer/MSP requests actual billing of travel costs, Sophos will invoice in advance based on the approved estimate.

If actual billing is requested, Sophos will invoice following Service completion in accordance with the categories below: The Customer/MSP shall be responsible for the following two categories of costs for actual billings:

  1. Actual Expenses. These include all reasonable and necessary out-of-pocket costs incurred in connection with the onsite engagement, such as round-trip airfare (economy for flights under 4 hours, economy plus for 4 to 8 hours, and business class for over 8 hours); round-trip train travel (economy class for trips under 6 hours and business class for over 6 hours); fuel costs (if driving), hotel accommodations; meals and incidental expenses; ground transportation (e.g., taxi, ride-share, or rental car), visa or entry documentation; and any applicable taxes or fees.
  2. Standby Time. Any time spent by Sophos personnel onsite or on standby due to Customer/MSP’s failure to provide timely access, information, or readiness to begin the engagement will be billable at the standard hourly rate applicable to the Service, up to eight (8) hours per day per person assigned to onsite Service engagement.

No travel will commence, and no travel-related costs shall be incurred, unless and until the Customer/MSP approves the estimate in writing.

Customer/MSP Obligations for Onsite Engagement: Customer/MSP must take the following actions to facilitate and enable delivery of the Service onsite:

  • Arrange all required site access, entry authorizations, and security clearances in advance of the engagement, including after-hours access if necessary.
  • Provide timely access to all systems, environments, infrastructure, and personnel identified in the agreed scope.
  • Respond promptly to Sophos requests for information, documentation, and decisions necessary to support the engagement.
  • Obtain all approvals and permissions for tools, software, or access mechanisms used by Sophos during the engagement.
  • Provide suitable workspace, including power, network connectivity, and required physical or virtual system access.
  • Ensure attendance of designated stakeholders at all scheduled updates, technical briefings, and post-engagement reviews.
  • Comply with all applicable health, safety, and security protocols to ensure a safe working environment

V. CUSTOMER/MSP RESPONSIBILITIES

Customer/MSP acknowledges and agrees that, in addition to the actions identified in Section II above, Customer/MSP must promptly take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer/MSP’s failure to do so. Sophos reserves the right to suspend Service delivery until such time as Customer/MSP performs the required actions. Failure to complete the required actions after written notice from Sophos (including email notice from the Security Services Team to the Customer/MSP designated contacts) shall constitute a material breach by Customer/MSP of the Agreement.

  1. Customer/MSP Personnel. Customer/MSP must identify an appropriate number of suitably skilled personnel who will work with Sophos during the provision of the Service. Customer/MSP’s personnel must have the necessary technical and business knowledge and authority to make decisions concerning the Service.
  2. System Access. Customer/MSP will timely provide to Sophos all required access to Assets and necessary administrative credentials/privileges to enable Sophos to perform the Service. Additionally, Customer’s/MSP’s scheduled interruptions and maintenance windows must provide sufficient time for Sophos to perform the Service.
  3. Timely Response. Customer/MSP must promptly acknowledge receipt of Sophos communications in writing (via email or other agreed method) and must timely respond to Sophos’s requests and timely perform required tasks.
  4. Authority and Indemnification. Customer/MSP is responsible for obtaining all necessary permissions and consents to enable the Security Services Team to access all relevant Assets or systems, including third-party permissions as required. Customer/MSP represents and warrants that it has the necessary right, title, license, and authority for Customer/MSP to provide and/or facilitate Sophos’s access to Asset(s), including any information, data, networks, and systems, in connection with the Service delivery. Customer/MSP agrees to indemnify, defend, and hold Sophos harmless from and against any and all claims, losses, liabilities and damages, including reasonable attorney’s fees, arising from (i) any and all third party claims brought against Sophos that arise out of the scanning, testing and/or evaluation of incorrect or unauthorized Asset that are provided by Customer/MSP, or (ii) any breach of a Customer/MSP representation or warranty.
  5. Actions Outside the Scope of Service. All activities that are not expressly provided in this Service Description are outside the scope of the Service. Customer/MSP is solely responsible and liable for (i) taking any actions that are outside of the scope of the Service (e.g., Sophos's suggestions regarding on-site response; all litigation and e-Discovery support, including responding to discovery requests or subpoenas; collaboration with law enforcement, etc.); and (ii) for any actions that Sophos performs under Customer's/MSP's specific direction that are not otherwise provided in this Service Description.
  6. Actions Taken by Partners. Customer may allow Partners to take certain actions within the scope of the Service on Customer's behalf, in which case Customer is responsible for all actions or omissions of such Partner. Sophos will not be liable for Partners' actions or omissions.
  7. MSP Additional Responsibilities. MSP is solely responsible for: (i) obtaining any consents or information required from its Beneficiaries in order for Sophos to perform the Service, (ii) ensuring that Beneficiaries take all actions required of Customers in this Service Description; (iii) ensuring that its Beneficiaries understand the risks associated with performance of this Service, and (iv) that any Beneficiary for which MSP performs this Service has agreed to accept all such risks. MSP will indemnify and hold Sophos harmless for any claim brought against Sophos by a Beneficiary if such claim results, in whole or in part, from MSP’s failure to fully perform its obligations under this Service Description, the Agreement with respect to the Service.

VI. ADDITIONAL TERMS

  1. Service Exclusion. Customer/MSP agrees and acknowledges that Sophos will not be liable or be considered in breach of this Service Description or the Agreement (including any applicable SLA): (i) due to any delay or failure to perform its obligations hereunder as a result of industry or infrastructure wide ransomware, cyberwarfare or other cyberattacks that causes Security Services Team to be unable to provide resources to address any aspect of a Service in a timely manner; (ii) due to unforeseen circumstances or to causes beyond Sophos reasonable control including but not limited war, strike, riot, crime, acts of God, or shortage of resources; (iii) due to legal prohibition, including but not limited to, passing of a statute, decree, regulation, or order; (iv) during any period of Service suspension by Sophos in accordance with the terms of the Agreement; (v) if Customer/MSP is in breach of the Agreement (including, without limitation, if Customer has any overdue invoices); or (vi) during any scheduled or emergency maintenance windows.
  2. Service Capabilities. Customer/MSP agrees and acknowledges while Sophos has implemented commercially reasonable technologies and process as part of the Service, Sophos makes no guarantee that the Service, or Sophos’s recommendations and plans made by Sophos as a result of that Service, will result in the identification, detection, containment, eradication of, or recovery from all of threats, vulnerabilities, malware, or other malicious threats. Customer/MSP agrees not to represent to anyone that Sophos has provided such a guarantee or warranty.
  3. Service Impact. Customer/MSP acknowledges that Service provision described may result in service interruptions or degradation of Customer/MSP systems and accepts those risks and consequences. Customer/MSP further acknowledges that it is solely responsible for restoring its network and computer systems to a secure configuration after Sophos completes testing.
  4. Record Retention. Sophos will retain a copy of the Final Report in accordance with its record retention policy. If Customer/MSP requires retention beyond this period, Customer/MSP must provide an advanced request in writing specifying the period and will bear all costs for additional storage.
  5. Legal Proceedings. If Customer/MSP knows or reasonably believes that Sophos or its personnel performing the Services may be subject to any court order, administrative process, or governmental proceeding (e.g., subpoena, search warrant, discovery request) requiring a response or testimony, Customer/MSP shall (i) promptly notify Sophos unless legally prohibited, (ii) use commercially reasonable efforts to minimize the associated burden, and (iii) reimburse Sophos for all reasonable costs and expenses incurred, including employee time, attorneys’ fees, and travel. This obligation shall not apply to legal actions between Customer/MSP and Sophos relating to the Service.


Revision Date: 1 October 2025