Darkmoon — Pentest on Demand

Step 1 — Your identity

We need this to create your secure client space and contact you for scoping.

Full name *

Email *

Will be used for OTP login & all engagement communications.

Phone (technical contact) *

Technical lead

Person we'll reach out to for scoping & test accounts.

Account
A secure client space will be created automatically for this email after payment. Already a client? Sign in first to attach this order to your existing account.

Step 2 — Legal entity

Required for the test authorisation contract (ISO/IEC 27001 §A.5.31, §A.5.33).

Company name *

Legal form

Registration number *

VAT / Tax ID

Registered address *

Country *

Billing contact name

Billing email

Stripe invoice will be sent here in addition to the primary email.

Step 3 — Scope & target

Scope definition per ISO/IEC 27007 §6.4.3 audit planning.

Target type *

Scope — assets in scope *

URLs, FQDNs, IP ranges, repos, app bundles. Be exhaustive — anything outside this list is out of scope.

Out of scope (explicit exclusions)

Environment *

Approx. user count (if applicable)

Test accounts / credentials we'll receive

Never share real passwords here — describe only the access roles required.

Step 4 — Methodology

Aligned with industry standards. Pre-selection covers most engagements.

Approach *

Black-box

No prior knowledge, external attacker view.

Grey-box (default)

Limited knowledge + test accounts.

White-box

Full access, code review included.

Methodology / frameworks (multiple allowed) *

OWASP WSTG / ASVS

Web / mobile applications

PTES

Penetration Testing Execution Standard

OSSTMM v3

Operational security testing manual

NIST SP 800-115

US federal pentesting guide

PCI DSS 11.4

Card payment systems

ISO 27001 §A.8.29

Annex A control alignment

OWASP API Top 10

REST / GraphQL APIs

MITRE ATT&CK

TTP-based scenario testing

Intrusiveness *

Passive

Recon only, no payload sent.

Active — safe (default)

Exploit without destructive impact.

Active — full

Includes post-exploitation, persistence.

Social engineering

Phishing / vishing scenarios — requires explicit HR sign-off.

DoS / DDoS testing

Discouraged — production stability risk.

Step 5 — Constraints & compliance

Data sensitivity, operational constraints, applicable regulations.

Data sensitivity *

Intervention window *

Business-hours only

No testing outside the agreed window.

Scope contains personal data (GDPR)

DPA & data-minimisation clauses will be added.

Applicable compliance frameworks

GDPR

HDS (health)

PCI DSS

SOC 2

ISO 27001

HIPAA

NIS2

DORA

Objectives — what does success look like? *

Threat actors of interest

Step 6 — Legal authorisation

Penetration tests are illegal without prior written authorisation (FR art. 323-1 to 323-3 CP, EU NIS2 art. 21, US 18 USC §1030).

1 — Test authorisation

The signatory, acting in name and on behalf of the company named above (the "Client"), expressly authorises ASC-IT (the "Provider") to carry out a security audit and penetration testing on the assets defined in Step 3 (the "Scope"), in accordance with the methodology and intrusiveness levels selected in Step 4.

2 — Mandate & capacity

The signatory declares (i) being duly authorised by the legal entity to sign this authorisation, (ii) being the lawful owner of the assets in scope or having obtained explicit written consent from every owner of said assets, and (iii) bearing full responsibility towards any third party affected by the testing.

3 — Scope limitation

The Provider undertakes to remain strictly within the boundaries of the agreed Scope. Any asset outside this list is expressly excluded. The Provider will immediately stop and notify the Client if it discovers personal data of third parties, weapons-grade vulnerabilities, or signs of an unrelated ongoing intrusion.

4 — Operational safety

Testing will be performed during the intervention window declared in Step 5. The Provider will not knowingly cause denial of service unless DoS testing has been explicitly authorised. Destructive payloads (data deletion, ransomware-like behaviour) are prohibited at all intrusiveness levels.

5 — Confidentiality & data protection

All information exchanged is treated as Confidential Information. The Provider commits to GDPR (Reg. EU 2016/679), only processes personal data strictly required for the engagement, and deletes such data within 60 days of report delivery. A DPA is available on request.

6 — Deliverables & ownership

The deliverable is a written penetration testing report, ranked by CVSS v3.1 severity, with technical evidence and prioritised remediation guidance, plus an oral debriefing meeting (kmeet, Infomaniak). All deliverables become the property of the Client upon payment in full.

7 — Liability

The Provider's liability is limited to the amount paid for this engagement. The Client acknowledges that penetration testing carries inherent operational risks (transient unavailability, log noise, false positives in monitoring) and accepts these.

8 — Applicable law & forum

This authorisation is governed by French law. Any dispute will be submitted to the competent courts of Toulouse, France, unless the Client is a consumer in which case the consumer's domicile court applies.

9 — Electronic signature

Pursuant to eIDAS Regulation (EU) 910/2014, the Client agrees that the typed signature, capture of timestamp, IP and user-agent below constitute a valid electronic signature with full legal effect.

Signatory — full name *

Signatory — role *

Electronic signature — type your full legal name *

I have read and accept the authorisation above. *

I confirm I have the authority to bind the legal entity declared in Step 2.

Step 7 — Review & pay

Verify the engagement, then proceed to secure payment. Your client space is created immediately after payment.

Pentest on Demand

€799 — flat per engagement (VAT excl.)

Indicative — adjusted to the final scope after expert review.

✓ Authorisation included ✓ Report + CVSS evidence ✓ Video debrief meeting ✓ Secure OTP client space

By clicking Order & pay you (1) confirm the authorisation in Step 6, (2) accept the indicative price subject to scope adjustment, (3) authorise Stripe to process the payment. Refunds are governed by the contract you just signed and FR / EU consumer law.