Comment by ineedasername
6 years ago
Well, it may be necessary to tell them, but there needs to be a backstop in place, a contract to wave around, proper identification, a live phone number to call to get confirmation, etc. The cops will still be pissed, if you weren't careful in following their instructions when they caught you then you might find yourself tasered and soaked in someone's urine (hopefully your own, I guess) But you wouldn't be, as these two are, getting charged with felony burglary.
You're 100% correct. Having done multiple red teams I would never attempt to break into a building without 1) the CEO on call, 2) a notarized statement of work identifying my and the client's identity, and 3) notarized authorization from the landlord.
If a client refuses any of these then the physical pillar is quite simply off the table.
If the "physical pillar" is off the table, would you really feel confident giving any sort of certification of security?
Kinda like a mechanic saying "I checked the brakes, this car will definitely go for 100k miles without a breakdown"
You tell them you were testing security. You tell them you were testing the alarm system. You DO NOT tell them that you are measuring their response time.