# Penetration Test — Statement of Work

**Engagement:** Lumen.health Annual Penetration Test 2026
**Vendor:** PenTestPartners Ltd (UK)
**Project lead (vendor):** Mariella Greco
**Project lead (Lumen):** Aisha Khan, CISO
**Period:** 15 May 2026 – 29 May 2026 (2 weeks)
**Budget:** €42 000 (fixed, T&M ceiling)
**ISO control:** A.8.8 (vulnerability management), A.8.29 (security testing)
**Gap closure:** EG-009 (annual pen-test cadence)

---

## 1. Scope-of-engagement (SoE)

### In scope

| Target | Notes |
|---|---|
| `app.lumen.health` (auth-service + agentic) | OWASP Top 10 + LLM Top 10; authenticated + unauthenticated paths |
| `analytics.lumen.health` (analytics + KB) | Tenant isolation + RAG retrieval boundary |
| `api-ontology.lumen.health` | Cross-tenant Object instance read-access verification |
| Patient intake conversational AI | Prompt-injection resistance; guardrail bypass attempts |
| Internal RBAC + tenant separation | Verify that `org_A` cannot read `org_B` data via any API |
| Secrets vault | Vault audit (read-only) |
| Sandbox isolation (Worker Thread runtime) | Attempt to escape the LLM-agent sandbox |

### Out of scope

| Target | Reason |
|---|---|
| Customer mobile apps (iOS + Android) | Separate engagement Q3 2026 |
| Marketing site | No customer data; low risk |
| Third-party services (Coupa, Workday) | Vendor pen-tests in scope of their own audits |
| Physical security | Office is co-working space; not Lumen-owned |
| Social engineering | Excluded by mutual agreement |

## 2. Methodology

- **Black-box phase** (week 1): Unauthenticated external testing — discovery, enumeration, exploitation. Vendor receives only the in-scope domain list.
- **Grey-box phase** (week 2): Authenticated testing — vendor receives test-tenant credentials, admin role, and tester role. Internal network testing where applicable.

Both phases use OWASP Testing Guide v4.2 + LLM Top 10 (2024) + OWASP API Security Top 10. The LLM-specific tests cover:
- Prompt injection (direct + indirect via uploaded documents)
- Sensitive information disclosure via retrieval-augmented generation
- Insecure plugin design (the workflow-engine integrations)
- Excessive agency (LLM-agent tool access)
- Model denial-of-service

## 3. Deliverables

| # | Deliverable | Due | Format |
|---|---|---|---|
| D-1 | Engagement kick-off briefing | 14 May 2026 | Video call + slide deck |
| D-2 | Mid-engagement update | 22 May 2026 | Video call + interim findings |
| D-3 | Final report (executive + technical) | 05 Jun 2026 (1 week post-engagement) | PDF, signed |
| D-4 | Redacted summary (suitable for customer + audit sharing) | 12 Jun 2026 | PDF |
| D-5 | Clarification round | through 26 Jun 2026 | Email + 1 video call |
| D-6 | Re-test of remediated High/Critical findings | within 90 days | PDF addendum |

## 4. Severity scale

PenTestPartners uses CVSS 3.1 base scores:

- **Critical** (9.0–10.0): immediate remediation; expected SLA close 14 days
- **High** (7.0–8.9): remediation within 30 days
- **Medium** (4.0–6.9): remediation within 90 days
- **Low** (0.1–3.9): within 180 days or risk-accept with sign-off
- **Informational** (0.0): at customer discretion

## 5. Rules of engagement

- Testing windows: weekdays 09:00–18:00 BST; vendor request for off-hours testing requires Aisha's pre-approval.
- DoS testing: **NOT** authorised against production. Permitted in staging only.
- Data exfiltration: NOT authorised beyond the test-tenant data; any inadvertent access to production data must be reported within 4 h.
- Vendor must use unique IP range provided in the engagement brief so Lumen's SOC can correlate alerts.
- Vendor maintains a daily logged activity record; Lumen's SOC monitors but does not intervene during the testing window.

## 6. Communication

- **Primary channel:** dedicated Slack channel `#pt-lumen-2026` (joint vendor + Lumen + LumenSOC).
- **Secondary:** daily 17:00 BST stand-up call (15 min).
- **Emergency:** Aisha's mobile (escalation only).

## 7. Authorisation

The Lumen.health CFO and CISO authorise this engagement under the conditions above. The engagement is conducted under NDA dated 22 Mar 2026.

Signed: Aisha Khan, CISO, Lumen.health — 30 Apr 2026
Signed: Mariella Greco, PenTestPartners — 30 Apr 2026
Signed: Pieter Vandermeer, CFO equiv (Lumen.health uses Daniel Foley as authorising signatory) — 30 Apr 2026