Rules of Engagement

The ROE is a document that is created at the initial stages of a penetration testing engagement. This document consists of three main sections (explained in the table below), which are ultimately responsible for deciding how the engagement is carried out.

Section

Description

Permission

This section of the document gives explicit permission for the engagement to be carried out. This permission is essential to legally protect individuals and organisations for the activities they carry out.

Test Scope

This section of the document will annotate specific targets to which the engagement should apply. For example, the penetration test may only apply to certain servers or applications but not the entire network.

Rules

The rules section will define exactly the techniques that are permitted during the engagement. For example, the rules may specifically state that techniques such as phishing attacks are prohibited, but MITM (Man-in-the-Middle) attacks are okay.

Example ROE Doucment:

250.pdf on EgnyteEgnyte

26KB

250.pdf

pdf

Reference: THM

PreviousPentest Ethics NextAuditing Fundamentals

Last updated 1 year ago