From a penetration tester's perspective, 18 U.S.C. 1030, the Computer Fraud and Abuse Act (CFAA), is a critical federal law that rightly criminalizes unauthorized access to "protected computers". Protected Computers would be those used in interstate commerce, by financial institutions, or the government. It covers actions like hacking, data theft, and system damage (U.S. Code, 2025). The law outlines offenses such as accessing networks or computers without authorization or exceeding authorized access, with penalties ranging from fines to imprisonment up to 10-20 years for severe cases (Justice Manual, 2022). For testers, this means simulated attacks must stay within legal bounds to avoid being misclassified as illegal hacking, even if unintended. Awareness of the CFAA is essential for penetration testers to ensure compliance, avoiding unintentional violations that could lead to prosecution or civil liability. The law's broad definition of "unauthorized access" requires testers to clearly define their scope, as exceeding it, though not intentional, could still breach the statute (Justice Manual, 2022). Missteps, like accessing restricted data without permission, could trigger legal action, especially if intent is questioned. A legal contract between the tester and the organization is typically required. It delineates authorized activities, scope, and consent, protecting the tester from CFAA liability by proving their actions were sanctioned (U.S. Code, 2025)