The Mutual NDA says something like: "Hey I'm not going to take anything I've learned today and disclose it to anybody else and i want you to do the same".
Typically, the customer before hiring a company for penetration testing will have an NDA signed in order to prevent the information they provide about their network from remaining private.
The Master Service Agreement MSA is a contractual document and basically it's going to specify your performance objectives and kind of outline the responsibilities of both of the parties.
The Statement of Work SOW is specific to a contract itself, a single contract, in which we're talking about activities, deliverables, timelines, how much it's gonna pay.
Some clients prefer to see a sample report or a letter of recommendation to confirm the reliability of who they will go to.
Before of a test client specify with the pentester the Rules of Engagement (ROE) for example 1000 IP to test and specify what we can do or what we can't. The ROE meeting will covers specifics of your testing for example IP addresses and which attack methodologies are not allowed, typically denial of service especially if we are testing applications in production. In addition, social engineering activities are often not allowed.
It’s going to detail what you found from a high level and a technical level.
Typically there is such a disclaimer at the beginning of the report stating that anything that was or was not found during the pentest is related solely to the period of activity, this means that any other vulnerabilities that are found later due to applications or ports being opened subsequent to the pentest performed are not our responsibility.