Authorization Workflow

Who this applies to

This workflow applies to all OSINT and Security engagements. Networking and Web engagements do not require this authorization sequence unless they include explicitly scoped security testing.

Required before work begins

• Signed authorization letter from a party with legal authority over the target scope
• Government-issued identification of the authorizing party
• Written scope definition with explicit targets and boundaries
• Named emergency contact available during active testing windows

No reconnaissance, testing, or intelligence collection starts before all items above are completed and verified.

Intake sequence

1. Brief submitted: the intake begins and scope is preliminarily reviewed.
2. Authority verification: legal authority over target assets/entities is validated.
3. Identity verification: identity documents are reviewed for the authorizing party.
4. Scope lock: target list, exclusions, methods, and operating window are finalized in writing.
5. Authorization complete: engagement opens and execution begins.

Out-of-scope requests

Requests are declined when authorization is incomplete, authority is unclear, target ownership is disputed, or requested activity requires deception, intrusion, or prohibited access patterns.

Data handling

Authorization materials are treated as sensitive records: encrypted at rest, access-controlled, and retained only as long as required for engagement execution and legal recordkeeping.

Operational expectation

Submitting a brief for OSINT or Security opens authorization intake. It is not an implied approval to start work.

Contact

For authorization questions or pre-scope clarifications: baudhausops@protonmail.com