Rules of Engagement (RoE) establish the authorised parameters, constraints, and guidelines that govern how a penetration test will be conducted. They sit alongside the scope document to form the complete contractual and technical framework for an engagement, and establish what the testing team is permitted to do, what is explicitly prohibited, and how both parties should respond if something unexpected occurs.
These rules go beyond the simple scope definition in order to specify which testing techniques are permitted, the allowed timeframes for testing activities, and the escalation procedures if/when critical vulnerabilities are discovered. A web application may be in scope , but the RoE determines whether authenticated testing is permitted, whether denial-of-service techniques can be used, if automated scanning is restricted to certain hours, and what the tester should do if they discover evidence of an active third-party compromise during the engagement.
The RoE essentially forms a contract between the organisation and the testing team to ensure that everyone understands what is allowed, what is prohibited, and how to handle unexpected situations that may arise during testing.
A well-constructed RoE document will typically cover the following areas.
Testing windows specify when active testing may take place. Production systems often carry restrictions to business hours, overnight windows, or specific maintenance periods to reduce the risk of disruption to both users and the business itself. Some organisations permit unrestricted testing against isolated staging environments but may apply tighter controls to customer-facing infrastructure.
Permitted and prohibited techniques set the boundary between authorised security testing and actions that could cause harm. Destructive techniques such as denial-of-service attacks, data deletion, or exploitation of vulnerabilities in ways that could cause permanent damage are commonly excluded. The RoE should be specific and a blanket "no destructive testing" instruction is less useful than explicit guidance on, for example, whether parameter tampering on transactional endpoints is permitted and to what degree.
Social engineering and physical testing activities require explicit authorisation. Phishing simulations, pretexting calls, and physical access attempts fall outside the implied scope of a technical assessment and should only be conducted where the RoE specifically permits them.
Escalation and notification procedures define what happens when a critical vulnerability is discovered during testing. If a tester finds evidence of a live data breach, identifies an exploit path to access to critical financial systems, or a flaw that presents immediate business risk, then the RoE should specify who to contact, within what timeframe, and through which channel.
Credential and data handling covers how sensitive material encountered during testing should be treated. Credentials that are discovered during an engagement, sensitive documents accessed to demonstrate a finding, or personal data observed during testing all require clear handling instructions. Most RoE documents require that such material is not retained beyond the engagement and is documented only to the extent necessary to evidence findings.
Emergency contacts on both sides ensure that testing can be paused or stopped quickly if an unintended disruption occurs. This typically includes a named technical contact at the organisation who has authority to halt testing, and a lead consultant contact on the testing side.
From a legal perspective the RoE forms part of the agreement that distinguishes authorised security testing from unauthorised computer access. Without it, even well-intentioned testing can carry legal risk for the testing team and for the individuals who commissioned the work.
A thorough rules of engagement document protects the organisation by ensuring testing remains controlled and proportionate, and protects the testing team by establishing clear authorisation for the activities they perform. Engagements that proceed without agreed rules of engagement are more likely to encounter avoidable disruption, scope disagreements, and uncertainty about liability if something goes wrong.