Rules of Engagement (RoE) establish the authorised parameters, constraints, and guidelines that govern how a penetration test will be conducted.
These rules go beyond the simple scope definition in order to specify which testing techniques are permitted, the allowed timeframes for testing activities, and the escalation procedures if/when critical vulnerabilities are discovered. This also should include the communication protocols between the pentest provider and the customer, along with details of safety measures to prevent disruption to business operations.
The RoE essentially forms a contract between the organisation and the testing team to ensure that everyone understands what is allowed, what is prohibited, and how to handle unexpected situations that may arise during testing.
Typical elements of RoE include designated testing windows (such as business hours only or overnight testing for production systems), restrictions on denial-of-service attacks or any destructive actions (such as risky parameter tampering in a web application), the requirements for data handling and confidentiality, what the procedures are for notifying stakeholders if critical vulnerabilities are found, and the clear identification of the emergency contacts should the testing inadvertently causes system disruptions.
The RoE should also specify whether social engineering is permitted, whether physical security testing is in scope, how credentials obtained during testing may be used, and what happens to sensitive data discovered during the engagement.
A well constructed rules of engagement document should protect both the organisation and the testing team, ensuring that security assessments remain controlled, authorised, and focused on improving security rather than causing harm. Violating the RoE could lead to legal implications, which is why these agreements are typically reviewed by legal counsel before testing begins.