ELI5: What are Rules of Engagement?
Rules of engagement are the ground rules for a penetration test — what they can attack, when they can do it, and what is off limits. Like agreeing on the rules of a game before you start playing.
Definition
Rules of Engagement (ROE) is a formal, legally binding document established before a penetration test or red team engagement that defines the boundaries, authorized targets, permitted techniques, timing constraints, and emergency escalation procedures for the assessment. The ROE protects both the client and the testing team from legal exposure and ensures the assessment stays within agreed limits.
Key Details
- Defines the scope: which IP ranges, domains, applications, and systems are in scope vs. out of scope
- Specifies timing restrictions: testing hours, maintenance window avoidance, blackout dates
- Documents permitted techniques: which attack types are allowed (social engineering, physical access, etc.)
- Emergency contacts: procedures to pause testing immediately if a real incident is discovered
- Written authorization (“get-out-of-jail-free letter”) protects testers from criminal prosecution
Connections
- Parent: penetration-testing — ROE is a prerequisite legal document for any penetration test
- See also: testing-types