The CFAA and Penetration Testing
The Computer Fraud and Abuse Act (18 U.S.C. § 1030) establishes the primary federal criminal and civil liability framework that governs unauthorized access to computer systems in the United States. For the penetration testing profession, this statute defines the precise legal boundary between authorized security work and prosecutable computer intrusion. This page covers the CFAA's operative provisions, how authorization structures interact with the statute, the scenarios in which liability exposure arises, and the classification distinctions that separate compliant testing from criminal conduct.
Definition and scope
The Computer Fraud and Abuse Act, codified at 18 U.S.C. § 1030, was enacted in 1986 and has been amended substantively six times, with major expansions in 1994, 1996, 2001, and 2008. The statute prohibits unauthorized access to "protected computers" — a category that, under the 1996 amendments, extends to any computer "used in or affecting interstate or foreign commerce or communication," which in practice encompasses virtually all networked systems.
The CFAA creates liability under two distinct access theories:
- Access without authorization — accessing a computer that the actor has no permission to access at all.
- Exceeding authorized access — accessing a computer with some permission but retrieving or altering information beyond the scope of that permission.
The second theory has direct implications for penetration testing authorization agreements. A tester who holds a signed agreement permitting access to one subnet but pivots into another is potentially operating under the "exceeds authorized access" theory regardless of intent. The legal considerations governing penetration testing turn substantially on how scope is defined and documented.
The Department of Justice issued guidance in May 2022 clarifying that good-faith security research — defined as accessing a computer "solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability" — would not be prioritized for prosecution under the CFAA. That guidance is non-binding and does not create statutory immunity, but it signals prosecutorial discretion that the security research community had sought since at least the 2013 prosecution of Aaron Swartz.
In Van Buren v. United States (2021), the Supreme Court issued its most significant ruling on CFAA scope, holding in a 6-3 decision that the "exceeds authorized access" provision does not cover situations where someone accesses a computer they are authorized to access but retrieves information for an improper purpose. The Court's holding narrowed the statute's breadth, but the ruling does not eliminate liability for testers who access systems or data outside explicitly defined scope.
How it works
CFAA liability in a penetration testing context operates through four operative elements: authorization documentation, scope definition, access boundaries, and data handling conduct.
Authorization is the foundational control. A written rules of engagement document, a signed statement of authorization, or a formal contract establishes that the system owner consented to the testing activity. Without documentation traceable to an entity with legal authority over the target systems, no authorization exists under the CFAA.
The mechanism by which authorization protects practitioners follows this structure:
- The asset owner (or authorized representative) identifies the in-scope systems and signs an authorization document.
- The authorization document specifies permitted techniques, time windows, source IP addresses, and off-limits systems.
- The tester's access is legally "authorized" only within the four corners of that agreement.
- Any access outside scope — including pivot paths discovered during testing — requires explicit amended authorization before the tester proceeds.
- Data exfiltrated, copied, or retained beyond what is necessary to document findings creates independent exposure under CFAA subsections governing data theft (§ 1030(a)(2)) and damage (§ 1030(a)(5)).
The NIST SP 800-115 Technical Guide to Information Security Testing and Assessment treats authorization as a prerequisite phase, not a background condition. The guide specifies that the authorizing official must have legal authority over all target assets, a standard that matters when third-party infrastructure, shared hosting environments, or cloud platforms are in scope.
Common scenarios
Three recurring scenarios generate CFAA exposure within penetration testing engagements:
Third-party and shared infrastructure. A client authorizes testing of its web application hosted on a shared cloud platform. The tester's reconnaissance or exploitation techniques touch the provider's underlying infrastructure or co-tenant resources. The client cannot authorize access to systems the client does not own. Cloud penetration testing engagements must separately confirm provider-specific testing policies — AWS, Microsoft Azure, and Google Cloud each publish acceptable use policies that constitute conditions of authorization for their platforms.
Scope creep during exploitation. During a network engagement, the tester discovers an internally reachable system not listed in scope. Accessing that system — even to confirm a vulnerability — constitutes access without authorization if the original agreement did not cover it. Network penetration testing scoping documents must address discovered-in-scope assets and specify the escalation procedure for out-of-scope findings.
Bug bounty ambiguity. Bug bounty programs vs. penetration testing represent structurally different authorization models. Bug bounty safe harbor language varies significantly across programs. Some programs exclude certain asset classes (production databases, third-party integrations, user data access) while leaving the exclusions ambiguous. Researchers who test excluded assets cannot rely on the safe harbor language as a CFAA defense.
Decision boundaries
The operative distinction for CFAA compliance is not the technical nature of the activity — it is whether documented authorization from a legally competent authority covers the specific access performed. Two contrasting models illustrate how this plays out:
| Factor | Authorized Engagement | Unauthorized or Excess Access |
|---|---|---|
| Scope documentation | Written, signed, asset-specific | Verbal, implied, or absent |
| Asset ownership | Client owns or controls all in-scope assets | Includes third-party, provider, or co-tenant assets |
| Access after discovery | Pauses at scope boundary; escalates | Proceeds into out-of-scope systems |
| Data handling | Findings documented, data minimized | Data copied, retained, or exfiltrated beyond necessity |
| Authorization party | Legal asset owner or delegated authority | Vendor, contractor, or non-owner |
The "good-faith security research" framing from the 2022 DOJ policy guidance applies primarily to independent researchers, not contracted testers. A contracted tester operates under a formal agreement, and the CFAA analysis focuses on whether that agreement covered the specific access — not on whether the tester's intent was benign.
Practitioners should note that CFAA exposure is not limited to federal prosecution. Section 1030(g) creates a private civil right of action for system owners who suffer damage or loss, with no minimum dollar threshold for suits involving certain categories of conduct. Aggregate loss exceeding $5,000 within a one-year period satisfies the threshold for federal criminal prosecution under 18 U.S.C. § 1030(c).
State-level computer crime statutes — including California Penal Code § 502 and New York Penal Law § 156 — operate independently of the CFAA and may impose liability under standards that differ from the federal framework. A compliant federal authorization posture does not guarantee compliance with all applicable state statutes.
References
- 18 U.S.C. § 1030 — Computer Fraud and Abuse Act (House Office of Law Revision Counsel)
- NIST SP 800-115, Technical Guide to Information Security Testing and Assessment (NIST CSRC)
- DOJ Policy Regarding Charging of Computer Intrusion Cases Under the CFAA, May 2022 (U.S. Department of Justice)
- Van Buren v. United States, 593 U.S. ___ (2021) (Supreme Court of the United States)
- PCI DSS v4.0, Requirement 11.4 (PCI Security Standards Council)
- California Penal Code § 502 (California Legislative Information)