Rules of Engagement Template

The Rules of Engagement (RoE) is a critical document that defines exactly what is permitted during a test. It protects both the tester and the client.

Usage

Copy and customize this template for your engagements. All bracketed fields [like this] should be replaced with actual values.

Explicit Approval for High-Risk Activities

Treat social engineering, physical access, persistence, credential handling, destructive testing, and proof-of-concept data access as separate approvals. If the activity is not explicitly named and signed, it is not authorized.
Download Markdown

RULES OF ENGAGEMENT

Penetration Testing Agreement

Client: [Client Name]

Contractor: [Your Company Name]

Project: [Project Name/Description]

Date: [Date]

1. AUTHORIZATION

This document authorizes [Your Company] to perform penetration testing services against the systems and networks described in the Scope section.

Authorized Signatory: [Name, Title]

Signature: _________________ Date: __________

2. SCOPE OF TESTING

2.1 In-Scope Assets

Asset Type Description IP/URL
Web Application[Description][URL]
Network Range[Description][CIDR]
Host[Description][IP]

2.2 Out-of-Scope Assets

The following are explicitly excluded from testing:

  • [System/IP/URL] - [Reason]
  • [System/IP/URL] - [Reason]
  • Third-party systems without authorization
  • Denial of service attacks (unless approved)
  • Social engineering of employees (unless approved)
  • Physical security testing (unless approved)

2.3 Testing Types Authorized

  • External Network Penetration Testing
  • Internal Network Penetration Testing
  • Web Application Penetration Testing
  • Wireless Network Testing
  • Social Engineering (Specify: ________________)
  • Physical Security Testing
  • Red Team Exercise

3. TESTING TIMELINE

Start Date: [Date]

End Date: [Date]

Testing Hours: [e.g., Business hours only / 24x7]

Blackout Periods: [Dates/times when testing is prohibited]

4. TESTING METHODOLOGY

Testing will follow [PTES / OWASP / OSSTMM / Custom] methodology.

4.1 Permitted Activities

  • Port scanning and service enumeration
  • Vulnerability scanning
  • Exploitation of discovered vulnerabilities
  • Privilege escalation
  • Lateral movement
  • Proof-of-access validation using approved test records only, unless a separate data-access approval is signed
  • Password attacks (within agreed limits)

4.1.1 High-Risk Activity Approvals

Activity Allowed? Limits / Required Safeguards Client Initials
Social engineering[Yes/No]Approved targets, scripts, reporting path, and stop conditions_____
Physical security testing[Yes/No]Locations, hours, safety rules, and guard verification process_____
Credential handling[Yes/No]No real password storage; approved test accounts preferred_____
Data access proof[Yes/No]Approved data types, redaction rules, retention, and secure storage_____
Persistence / long-duration access[Yes/No]Benign mechanisms, expiration, monitoring, and cleanup owner_____

4.2 Prohibited Activities

  • Denial of service attacks
  • Modification or destruction of data
  • Installation of persistent backdoors
  • Accessing data beyond proof of concept
  • Testing against out-of-scope systems
  • Social engineering without explicit approval

5. COMMUNICATION

5.1 Primary Contacts

Client Technical Contact

Name: [Name]

Phone: [Number]

Email: [Email]

Available: [Hours]

Client Emergency Contact

Name: [Name]

Phone: [Number]

Tester Lead

Name: [Name]

Phone: [Number]

Email: [Email]

5.2 Escalation Procedures

  • Critical Finding: Immediate phone call + email
  • System Crash/Instability: Stop testing, notify immediately
  • Suspected Compromise (non-test): Notify immediately

5.3 Status Updates

  • [Daily/Weekly] status emails
  • Immediate notification for critical findings
  • Final report within [X] business days of test completion

6. DATA HANDLING

  • All client data will be handled as CONFIDENTIAL
  • Test data will be encrypted in transit and at rest
  • Evidence containing secrets, PII, regulated data, or exploit output will be redacted before broad distribution
  • Proof-of-concept access will use approved test records whenever possible
  • All findings and evidence will be securely deleted within [X] days
  • No client data will be shared with third parties
  • Testers will use secure, dedicated systems

7. LEGAL

  • Contractor maintains professional liability insurance of $[X]
  • Client agrees to indemnify Contractor against claims arising from authorized testing activities
  • Testing will comply with all applicable laws and regulations
  • Client confirms they have authority to authorize testing

8. SIGNATURES

Client Authorization

Name: _________________________

Title: _________________________

Signature: _________________________

Date: _________________________

Contractor Acknowledgment

Name: _________________________

Title: _________________________

Signature: _________________________

Date: _________________________

This document must be signed before testing begins.

Related Topics

Industry Standards

Pentest methodologies and standards

Legal Considerations

Legal frameworks and laws

Pre-Engagement Checklist

Complete preparation checklist