Rules of Engagement Template
The Rules of Engagement (RoE) is a critical document that defines exactly what is permitted during a test. It protects both the tester and the client.
Usage
RULES OF ENGAGEMENT
Penetration Testing Agreement
Client: [Client Name]
Contractor: [Your Company Name]
Project: [Project Name/Description]
Date: [Date]
1. AUTHORIZATION
This document authorizes [Your Company] to perform penetration testing services against the systems and networks described in the Scope section.
Authorized Signatory: [Name, Title]
Signature: _________________ Date: __________
2. SCOPE OF TESTING
2.1 In-Scope Assets
| Asset Type | Description | IP/URL |
|---|---|---|
| Web Application | [Description] | [URL] |
| Network Range | [Description] | [CIDR] |
| Host | [Description] | [IP] |
2.2 Out-of-Scope Assets
The following are explicitly excluded from testing:
- [System/IP/URL] - [Reason]
- [System/IP/URL] - [Reason]
- Third-party systems without authorization
- Denial of service attacks (unless approved)
- Social engineering of employees (unless approved)
- Physical security testing (unless approved)
2.3 Testing Types Authorized
- External Network Penetration Testing
- Internal Network Penetration Testing
- Web Application Penetration Testing
- Wireless Network Testing
- Social Engineering (Specify: ________________)
- Physical Security Testing
- Red Team Exercise
3. TESTING TIMELINE
Start Date: [Date]
End Date: [Date]
Testing Hours: [e.g., Business hours only / 24x7]
Blackout Periods: [Dates/times when testing is prohibited]
4. TESTING METHODOLOGY
Testing will follow [PTES / OWASP / OSSTMM / Custom] methodology.
4.1 Permitted Activities
- Port scanning and service enumeration
- Vulnerability scanning
- Exploitation of discovered vulnerabilities
- Privilege escalation
- Lateral movement
- Data exfiltration (proof of concept only)
- Password attacks (within agreed limits)
4.2 Prohibited Activities
- Denial of service attacks
- Modification or destruction of data
- Installation of persistent backdoors
- Accessing data beyond proof of concept
- Testing against out-of-scope systems
- Social engineering without explicit approval
5. COMMUNICATION
5.1 Primary Contacts
Client Technical Contact
Name: [Name]
Phone: [Number]
Email: [Email]
Available: [Hours]
Client Emergency Contact
Name: [Name]
Phone: [Number]
Tester Lead
Name: [Name]
Phone: [Number]
Email: [Email]
5.2 Escalation Procedures
- Critical Finding: Immediate phone call + email
- System Crash/Instability: Stop testing, notify immediately
- Suspected Compromise (non-test): Notify immediately
5.3 Status Updates
- [Daily/Weekly] status emails
- Immediate notification for critical findings
- Final report within [X] business days of test completion
6. DATA HANDLING
- All client data will be handled as CONFIDENTIAL
- Test data will be encrypted in transit and at rest
- All findings and evidence will be securely deleted within [X] days
- No client data will be shared with third parties
- Testers will use secure, dedicated systems
7. LEGAL
- Contractor maintains professional liability insurance of $[X]
- Client agrees to indemnify Contractor against claims arising from authorized testing activities
- Testing will comply with all applicable laws and regulations
- Client confirms they have authority to authorize testing
8. SIGNATURES
Client Authorization
Name: _________________________
Title: _________________________
Signature: _________________________
Date: _________________________
Contractor Acknowledgment
Name: _________________________
Title: _________________________
Signature: _________________________
Date: _________________________
This document must be signed before testing begins.