Scope of work
Detailed software scope for deployment, security analysis and reporting.
This page sets out a clear commercial and technical description of the AAA platform scope. It can be adapted into a proposal, proforma invoice, EULA schedule or implementation statement of work.
| Workstream | Scope included | Typical deliverables |
|---|---|---|
| Discovery & onboarding | Define business objectives, users, assets, environments, repositories and reporting requirements. | Onboarding checklist, implementation plan, access matrix, initial asset register. |
| Application security platform setup | Configure dashboards, user roles, scan policies, severity rules, remediation workflow and notification preferences. | Configured tenant/workspace, role permissions, dashboard pack, workflow rules. |
| Vulnerability management | Centralise findings, classify risk, assign owners, track remediation and manage exceptions. | Vulnerability register, remediation tracker, SLA view, risk trend report. |
| Code security scanning | Scan application code, dependencies, secrets and insecure patterns across agreed repositories or code packages. | Code risk report, dependency risk list, remediation notes, developer action summary. |
| Cloud security | Assess cloud configuration posture, exposed services, identity risk indicators and policy drift across agreed environments. | Cloud posture report, misconfiguration list, prioritised remediation roadmap. |
| AI-powered security analysis | Use AI-assisted analysis to summarise findings, reduce noise, support prioritisation and generate executive-ready narratives. | Prioritised risk summary, executive dashboard, action sequencing, management report. |
| Implementation & handover | Support installation, configuration, UAT, user training and operational handover. | UAT checklist, admin guide, user guide, handover pack, support process. |
In-scope deliverables
- Software access and configuration for agreed users/environments.
- Application, code and cloud security scanning workflows.
- Risk dashboards for technical and executive stakeholders.
- Remediation tracking with owner and status management.
- AI-assisted prioritisation and written risk summaries.
- Installation, configuration, UAT and handover support.
Out-of-scope unless separately agreed
- Unauthorised penetration testing, exploitation or intrusive testing.
- Managed SOC, 24/7 monitoring or incident response retainer.
- Legal, regulatory or formal compliance certification advice.
- Remediation engineering performed directly on buyer systems.
- Third-party licensing, hosting, cloud usage or external tool fees.
- Any activity not expressly set out in the signed order form or statement of work.
Important
Final scope should be attached to the contract.
For a premium transaction, use the signed agreement, EULA schedule and statement of work to confirm software modules, payment milestones, delivery obligations, acceptance testing, support period and buyer responsibilities.