The document formalizes a relationship between a tester and entity owning a target of evaluation (TOE) for penetration testing. It outlines that the tester will evaluate security vulnerabilities in the TOE's IT infrastructure using industry standard tools and techniques. It also describes that a scope statement and rules of engagement document will define the parameters and guidelines for the testing. Relevant personnel for both parties are identified along with their roles and responsibilities for coordination.