Rules of Engagement in Penetration Testing

Rules of engagement (ROE) in penetration testing are the formal, documented parameters that define what a tester is authorized to do, when, against which systems, and under what conditions. These documents govern every phase of an authorized security assessment, from initial reconnaissance through reporting, and serve as the legal and operational boundary between authorized security work and criminal activity under statutes such as the Computer Fraud and Abuse Act (18 U.S.C. § 1030). Without a properly executed ROE, even technically legitimate security testing carries significant legal exposure for all parties involved.

Definition and scope

Rules of engagement in penetration testing constitute a formal, bilateral agreement between the commissioning organization (the client) and the testing team. The document specifies the authorized attack surface, permitted techniques, timing windows, notification requirements, escalation procedures, and conditions under which testing must stop. The ROE is distinct from — but closely related to — the broader scope of work in penetration testing and the authorization agreements that establish legal standing.

NIST SP 800-115, Technical Guide to Information Security Testing and Assessment, published by the National Institute of Standards and Technology, identifies planning and authorization as the foundational phase of any security test, explicitly requiring written agreements that define scope, notification procedures, and handling of sensitive data encountered during testing. The Penetration Testing Execution Standard (PTES), a widely referenced industry framework, similarly treats ROE documentation as a mandatory pre-engagement deliverable. See the PTES reference page for the full pre-engagement structure that ROE documents must satisfy.

The scope of ROE documentation extends to all types of penetration testing, including network, web application, physical, and social engineering engagements. Each engagement type introduces distinct authorization considerations — for example, physical penetration testing requires coordination with building security and law enforcement liaisons, while cloud assessments must account for third-party provider terms of service and shared-responsibility boundaries.

How it works

ROE documents are drafted during the pre-engagement phase and must be signed by an authorizing official within the client organization — typically a C-level executive, CISO, or legal counsel — before any testing activity begins. The document functions as both a technical contract and a legal authorization instrument.

A complete rules of engagement document addresses the following discrete elements:

  1. Target identification — Explicit IP ranges, hostnames, application URLs, physical locations, or user accounts that are in scope, contrasted with a clearly defined out-of-scope list.
  2. Testing windows — Authorized hours, days, and dates for active testing, including blackout periods aligned with business-critical operations.
  3. Permitted techniques — Specific attack categories allowed, such as exploitation of known CVEs, credential stuffing, social engineering, or physical bypass attempts. Techniques not listed are implicitly prohibited.
  4. Prohibited actions — Explicit prohibitions, which commonly include denial-of-service attacks against production systems, exfiltration of real personally identifiable information, and destruction of data.
  5. Point-of-contact (POC) requirements — Named contacts on both the client and testing team sides, with 24/7 emergency contact information for immediate halt orders.
  6. Escalation and halt conditions — Defined triggers that require immediate cessation of testing, such as discovery of an active breach by a third party, unintended system outages, or encounter with regulated data such as protected health information (PHI) under HIPAA (45 CFR Part 164).
  7. Evidence handling — Protocols for storing, transmitting, and destroying captured credentials, sensitive records, or screenshots obtained during testing.
  8. Third-party notification — Requirements to notify cloud providers, ISPs, or managed service providers whose infrastructure intersects with the test environment.

Common scenarios

ROE requirements vary substantially across engagement types and regulatory contexts. Three representative scenarios illustrate how the document structure adapts:

External black-box network test — The ROE limits the tester to a defined list of external IP addresses, prohibits any action that would degrade production availability, and requires a 15-minute notification window before launching any active exploitation. The client's network operations center is listed as a named POC. This structure applies directly to the environments described in network penetration testing.

PCI DSS compliance assessmentPCI DSS Requirement 11.4 mandates penetration testing of the cardholder data environment (CDE) at least annually and after significant infrastructure changes. ROE for PCI-scoped engagements must explicitly identify all CDE system components and require the tester to demonstrate exploitability of segmentation controls. The ROE also documents chain-of-custody procedures for any cardholder data encountered. See PCI DSS penetration testing requirements for the full regulatory structure.

Red team operationRed team operations involve a small "white cell" of client-side personnel who are aware of the test, while the broader IT and security staff operate under realistic conditions. The ROE for a red team engagement designates which executives hold authorization authority, establishes a "get-out-of-jail" letter that testers carry during physical intrusion attempts, and defines deconfliction procedures to prevent the internal blue team from mistakenly reporting a real incident to law enforcement.

Decision boundaries

The central operational function of an ROE is establishing enforceable decision boundaries — points at which a tester must stop, seek re-authorization, or escalate. Three boundary types recur across engagement structures:

Scope creep boundaries occur when exploitation of an in-scope system reveals access pathways to out-of-scope systems. The ROE must specify whether the tester is permitted to document but not pursue such access, or must halt and notify the POC immediately. The absence of a written policy at this boundary is a recurring cause of unauthorized access incidents.

Destructive action thresholds define whether the tester may execute payloads that modify, encrypt, or delete data, even on in-scope systems. In regulated environments — particularly healthcare organizations subject to HIPAA and critical infrastructure operators governed by CISA frameworks (CISA Cybersecurity Performance Goals) — this threshold is typically set to read-only exploitation or requires explicit secondary authorization for any write-capable payload.

Knowledge type boundaries differentiate between black-box, white-box, and gray-box testing and formalize which credentials, network diagrams, or source code the tester is provided at engagement start. A tester operating under black-box conditions who independently acquires administrative credentials mid-engagement faces a decision boundary: the ROE must state whether use of those credentials remains authorized or requires a scope-expansion approval before proceeding.

Conflicts between ROE terms and real-time findings are resolved through the named POC escalation chain. Verbal approvals during testing carry no legal weight; all scope modifications must be documented in writing, with timestamps, before modified activity begins.

References

📜 2 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator