Which document serves to clarify roles and expectations during a PenTest?

The correct answer is the Statement of Work. This document is crucial in the context of a penetration test (PenTest) because it outlines the specific tasks, deliverables, timelines, resources, and responsibilities of both the client and the testing team. It serves to clarify the roles and expectations of each party involved in the project, ensuring that all stakeholders understand what is required and what the outcomes will be.

The Statement of Work may include details such as the scope of the penetration test, methodologies to be used, and any relevant compliance requirements. By providing this clarity, it helps to mitigate misunderstandings and establishes a mutual agreement on the project's goals and execution, making it an essential component of a successful PenTest engagement. Furthermore, it can be referenced throughout the project to manage expectations and guide the testing process.

Other options like the Service-Level Agreement, Authorization Letter, and Terms of Service serve distinct purposes and do not prioritize the clarification of roles and expectations in the way a Statement of Work does. The Service-Level Agreement often focuses on the quality of service provided, while the Authorization Letter grants permission to conduct the test, and the Terms of Service typically outline overall usage and legal conditions rather than specific project details.