A company is working with a vendor to perform a penetration test. Which of the following includes an estimate about the number of hours required to complete the engagement?

A Blanket Purchase Agreement (BPA) is a long-term agreement with a vendor to provide goods or services at predetermined prices. While it facilitates purchasing, it does not typically outline specific project details or time estimates for individual engagements like a penetration test, making it unsuitable for this context.

A Service Level Agreement (SLA) defines the expected level of service between a service provider and a client, including performance metrics and responsibilities. However, it does not include estimates of the number of hours needed to complete a specific project, such as a penetration test, focusing instead on service delivery standards.

A Non-Disclosure Agreement (NDA) protects confidential information shared between parties and does not address project scope, timelines, or estimates of hours required for tasks. Its purpose is solely to ensure that sensitive information remains private, making it irrelevant to the specifics of project execution.