Rules of Engagement
Legal
Rules of Engagement (ROE) define what is and isn't allowed during a red team operation. Without proper authorization and documented scope, red team activities can result in criminal charges, lawsuits, or termination.
CRITICAL: Get C-Suite Sign-Off
Red team operations must be authorized by C-level executives (CEO, CISO, General Counsel). Mid-level IT managers cannot authorize activities that could disrupt business operations or violate employee privacy laws.
Essential ROE Components
markdown
# Red Team Rules of Engagement Template
## 1. Authorization
- **Authorizing Party:** John Smith, Chief Information Security Officer
- **Signed Date:** January 15, 2026
- **Engagement Duration:** February 1 - May 31, 2026 (4 months)
- **Legal Review:** Reviewed and approved by General Counsel
## 2. Scope - IN SCOPE
- **IP Ranges:** 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
- **Domains:** *.company.com, *.company.net
- **Physical Locations:** HQ (123 Main St), Data Center (456 Tech Ave)
- **Personnel:** All employees except C-suite executives
- **Methods:**
- Phishing/spearphishing
- Physical breaches (lock picking, tailgating)
- Network-based attacks
- Credential harvesting
- Social engineering (pretexting, vishing)
## 3. Scope - OUT OF SCOPE (Do NOT Target)
- Production database servers (10.1.5.0/24)
- Payment processing systems (PCI environment)
- Safety systems (fire, HVAC, physical security alarms)
- Third-party managed systems (cloud providers, SaaS)
- Personal devices not enrolled in MDM
- Executive assistants and C-suite offices
## 4. Notification Requirements
- **Zero Knowledge:** Blue team is NOT notified
- **Emergency Contact:** CISO (555-1234), available 24/7
- **Stop Conditions:** If business operations are disrupted, halt immediately
## 5. Objective
Simulate APT29-style attack to test detection and response capabilities:
- Goal: Exfiltrate 10GB of sensitive data from file server
- Success Criteria: Data exfiltrated without detection
## 6. Data Handling
- All captured credentials must be stored encrypted
- Exfiltrated data must be deleted after engagement
- Screenshots may be taken for reporting (redact PII)
- No data may be shared outside red team
## 7. Incident Response Protocol
If detected by blue team:
- Continue engagement unless explicitly told to stop
- Do NOT reveal red team status to tier-1 SOC analysts
- Only CISO may invoke "stop" command
## 8. Post-Engagement
- All persistence mechanisms removed within 48 hours
- Comprehensive debrief with blue team
- Deliver executive report within 2 weeks
- Conduct purple team exercises to validate detections
## 9. Liability and Indemnification
Company agrees to indemnify and hold harmless the red team from any liability arising from authorized activities conducted within the scope of this engagement.
---
**Signatures:**
CISO: _____________________ Date: _______
Red Team Lead: _____________ Date: _______
General Counsel: ___________ Date: _______Common ROE Pitfalls
- Vague Scope: "Test all systems" is too broad. Define explicit IP ranges, domains, and systems.
- Missing Stop Conditions: Define criteria for halting (e.g., "If production database becomes unresponsive")
- No Data Handling Policy: Specify how captured credentials, PII, and sensitive data will be protected
- Inadequate Authorization: Email approval is not enough—get wet signatures on formal documents
- No Emergency Contact: Ensure 24/7 contact with someone who can authorize "stop"
Document Everything
Maintain a detailed log of all activities with timestamps. If questioned by law enforcement or legal, you must prove every action was authorized and within scope.
Legal Considerations by Country
🇺🇸 United States
Computer Fraud and Abuse Act (CFAA) criminalizes unauthorized access. Explicit authorization required. Wiretap Act restricts intercepting communications.
🇪🇺 European Union
GDPR applies to any personal data accessed. Notify DPO before engagement. Computer Misuse Act (UK) and similar laws require authorization.
🇨🇦 Canada
Criminal Code Section 342.1 criminalizes unauthorized computer access. PIPEDA governs personal information handling.