Rules of engagement

Lesson

A rules of engagement (RoE) document, signed before any testing begins, specifies:

• Scope: which IPs, hostnames, applications, accounts.
• Out-of-scope: anything not explicitly listed.
• Allowed techniques: e.g., no DoS, no social engineering of staff.
• Reporting channel: who to contact, how fast, for what severity.
• Test window: dates and times.

Without an RoE, don't push buttons.