NEW

Start with the pressure: sales, launch, abuse, agents, data, or guardrails

Use the engagement router
aisecurityllc
Sign inScope a Launch Review
aisecurityllc
Scope a Launch Review

Readiness packet

Pen Test & Red Team Readiness Packet

A scoped, authorized, procurement-ready testing engagement that can feed a private offer or SOW.

Full service page Rules of Engagement

Do not submit secrets, access keys, production credentials, or regulated data here. Credential exchange happens only after NDA/SOW/ROE through an approved secure channel. This intake captures what is in scope, who authorized it, and how access will be provisioned.

Desired testing type

Testing style

Testing only proceeds against targets your organization owns, controls, or is explicitly authorized to assess.

Pen Test & Red Team Readiness Packet — preview

Cobalt-style onboarding for scoped security testing, adversarial review, cloud assessment, and AI/agentic red teaming.

Engagement Snapshot

  • Company: To be specified during scoping
  • Requested testing: Web / API pentest
  • Testing style: To be specified during scoping
  • Engagement driver: To be specified during scoping
  • Desired window / deadline: To be specified during scoping
  • Production in scope: No
  • Readiness status: Needs authorization

Authorization Summary

  • Company legal name: To be specified during scoping
  • Requestor: To be specified during scoping
  • Authorized representative: To be specified during scoping
  • Technical owner: To be specified during scoping
  • Security owner: To be specified during scoping
  • Owns / controls / authorized to test confirmed: No
  • Third-party targets included: No

Target Inventory

  • No named targets yet — required before testing.

In Scope

  • To be specified during scoping

Out of Scope

  • Any system, account, or data source not named in the Target Inventory
  • Destructive testing
  • Persistence
  • Data exfiltration
  • Denial of service

Testing Style

  • To be specified during scoping

Allowed Techniques

  • Confirmed in writing during scoping

Prohibited Techniques

  • Destructive testing
  • Persistence
  • Data exfiltration
  • Denial of service
  • Phishing
  • Social engineering
  • Malware
  • Credential stuffing
  • Password spraying
  • Production data modification
  • Third-party impact
  • Testing outside named targets
  • Prohibited by default unless explicitly authorized in the Rules of Engagement.

Testing Window

  • Start: To be specified during scoping
  • End: To be specified during scoping
  • Hours: To be specified during scoping
  • Blackout dates: None identified

Access Plan

  • Authenticated testing required: No
  • Roles to test: To be specified during scoping
  • Test accounts available: No
  • SSO / MFA: Not required
  • VPN / IP allowlist: Not required
  • Access provisioning: To be specified during scoping
  • Credential delivery: Secure channel after NDA/SOW/ROE — never via public forms

Data Handling Plan

  • Data sensitivity: To be specified during scoping
  • Production data in scope: No
  • Personal / regulated / payment / health data: None indicated
  • Secrets must be masked: Yes
  • Data exfiltration allowed: No
  • Sample data only: No
  • DPA required: No

Evidence Capture Rules

  • Evidence location: Access-controlled encrypted store available only to named delivery contacts
  • Screenshots allowed: Yes
  • Logs may be collected: Yes
  • Redaction required: Yes
  • Retention: 30 days or until final delivery
  • Deletion after engagement: Yes

Communication Plan

  • Primary channel: To be specified during scoping
  • Daily update required: No
  • Finding notification threshold: high_and_critical
  • Business hours: To be specified during scoping
  • Report recipients: To be specified during scoping

Emergency / Stop Conditions

  • Emergency contact: To be specified during scoping
  • Stop-testing contact: To be specified during scoping
  • Escalation contact: To be specified during scoping
  • Incident escalation process: Immediate notification to the stop-testing contact; testing pauses on request.
  • Testing stops immediately on request from the stop-testing contact.

Deliverables

  • Executive summary
  • Technical report
  • Evidence pack

Retest Plan

  • Retest requested: No
  • Severity model: CVSS + business risk
  • Retest confirms remediation of findings within an agreed window after fixes land.

Draft SOW Inputs

  • Targets: 0 named
  • Window: To be specified during scoping
  • Engagement type: Web / API pentest
  • Budget category: AppSec / product security / pentest budget
  • Deliverables: 3 selected

Required Contracts

  • Mutual NDA — Confidentiality before any scope or access is shared.
  • Assessment Terms Addendum — Defines authorized testing boundaries, safe harbor, and reliance limits.
  • Evidence Handling Policy — How testing evidence is captured, stored, redacted, and retained.
  • Statement of Work — Targets, testing window, deliverables, and retesting.
  • No-Cost Scoping Retainer — Scope and plan the engagement before any paid work or active testing.

Open Questions

  • Authorization not confirmed (owner / controls / authorized representative)
  • Target inventory (at least one named, authorized target)
  • Emergency / stop-testing contact (name + phone)
  • Evidence-handling plan (storage location, retention, redaction)

This packet is generated from your inputs to prepare a scoped, authorized, procurement-ready engagement. It is not an authorization to test and is not legal advice; testing proceeds only under signed agreements against targets you own, control, or are explicitly authorized to assess.

SCOPE · Engagement Planner

Clarify the problem.
Define success.
Choose the right next step.

A 5–10 minute planner that turns AI security ambiguity into a clear, measurable prescription.

Reduce uncertainty fast

We ask the right questions, not all the questions.

See what matters

Surface risks, blockers, assumptions, and the real problem.

Get a clear prescription

Recommended paths, effort, and acceptance criteria up front.

Sessions are saved locally in your browser. No account required.

SCOPE in progress

Live session
Situation
Criteria
Options
Proof
Evaluate

What we currently believe

Core problem84%
Business driver92%
Primary risk78%
Likely path71%

Next best question

Who is the final user of your AI product?

This helps us understand risk exposure and set the right success criteria.

Internal employees
Customers / end users
Partners / vendors
Mixed / multiple
Why we're asking this

Your input is private and saved locally.

Export prescription when ready →

Choose the use case closest to your challenge. SCOPE loads the right questions for your context.

Onboarding

Move four tracks in parallel

We put legal, finance, procurement, and technical scoping on parallel rails so the work can start without waiting on every internal process sequentially.

Technical Scoping

Output: Draft Launch Review Plan

  • architecture
  • demo/staging
  • prompts
  • RAG
  • agents/tools
  • authz
  • logs/evals
  • test boundaries

Legal

Output: NDA + Scoping Authorization

  • mutual NDA
  • data handling
  • authorized testing boundaries
  • confidentiality
  • work-product terms

Finance / Procurement

Output: Procurement Packet

  • vendor profile
  • tax/payment details
  • budget category
  • fixed-fee quote path
  • invoice terms
  • onboarding answers

Internal Approval

Output: Approval Memo

  • why now
  • business pressure
  • risk if delayed
  • expected deliverables
  • timeline
  • decision needed

Output

Your output: a clear, measurable prescription.

SCOPE delivers a one-page engagement plan you can share and act on immediately.

  • Situation & core problem
  • Desired outcome & success criteria
  • Key risks & assumptions
  • Recommended path(s)
  • Effort, timing & impact
  • Open questions & next step

SCOPE Prescription

Situation

Criteria

Recommended path

Next step

Export as markdown ↗