833-847-3280
Schedule a Call

What Are Rules of Engagement in Pen Testing?

Computer with MainNerve Rules of Engagement document open on it

If you think the Rules of Engagement sound like a war movie, you’re not alone.  In the penetration testing world, it’s more about cyber warfare, indirectly.

What is it?

Proactive penetration testing can help combat would-be attackers by identifying vulnerabilities before they do.  The Rules of Engagement, or ROE, is a document that any reputable penetration testing company should put in place before testing begins.

The Rules of Engagement

ROE is the scope, or limits, of the tests. The ROE includes the dates and times that testing will be performed; what IP addresses the tester will be using to conduct the tests, and what devices or web applications will be in scope, specifically identified by IPs and urls. The ROE may also include a list of IPs or hostnames that off limits, or out of scope.

It should have the penetration tester’s contact information or someone who can directly assist you during testing.  There may be times where you will want to speak with the tester, especially if things are transpiring on your network during the active testing.

This happened to a client of MainNerve’s.  The client’s internet line was not up and running at the time of their annual penetration test. This is most likely because of a fiber cut from construction.  The client called to see if it was from MainNerve testing, but our tester hadn’t engaged yet.

The Rules of Engagement and MainNerve

The Rules of Engagement provides information on how the tester will communicate with your team.  MainNerve testers will always reach out before testing to ensure that your team is aware he or she will be actively engaging your systems.  Additionally, if there are any high or critical vulnerabilities, you will be notified immediately.

There should be a game plan as to what will transpire with the data discovered during testing, and a listed project schedule secondary to multi-day testing.  The ROE should also define the methodology, or approach, employed during testing, such as black box, grey box, or white box.

The importance of Rules of Engagement cannot be overstated.  They define what is to be tested, how it is to be tested, and when it is to be tested. It identifies the testers and gives you a clear line of communication to them, and they to you. They give clear limits and requirements to ensure that the systems and services you need to be tested are tested and that any systems you do not want tested are not.

Latest Posts

A transparent image used for creating empty spaces in columns
   With the release of PCI DSS 4.0, penetration testing requirements have become more rigorous. The scope has expanded to ensure comprehensive security coverage within the Cardholder Data Environment (CDE) and beyond. The enhanced scope now mandates deeper assessments, covering not just the primary…
A transparent image used for creating empty spaces in columns
Conducting internal penetration tests can be challenging for organizations with multiple locations. Unlike a single-site business, a multi-location enterprise faces a broader attack surface, diverse network configurations, and varying security postures. A well-structured penetration testing strategy is crucial to systematically evaluate security across all locations…
A transparent image used for creating empty spaces in columns
The Payment Card Industry Data Security Standard (PCI DSS) is evolving with the release of PCI DSS 4.0, introducing a stronger focus on penetration testing as part of a proactive cybersecurity strategy. Historically, penetration testing has been seen as a once-a-year compliance requirement, but with…
A transparent image used for creating empty spaces in columns
As cyber threats become more sophisticated, penetration testing has emerged as a critical security measure for businesses of all sizes. However, one of the most common questions organizations ask is: “How much does a penetration test cost?” The answer is not straightforward, as the cost…
A transparent image used for creating empty spaces in columns
The latest version of the Payment Card Industry Data Security Standard (PCI DSS 4.0) has made it clear that penetration testing is no longer a mere compliance checkbox—it’s a critical security measure that every business handling cardholder data must prioritize. The updated standard introduces a…
A transparent image used for creating empty spaces in columns
Social engineering attacks come in many forms, each tailored to exploit specific vulnerabilities. Types of Social Engineering Attacks Here are some of the most common methods: Phishing Phishing is the most prevalent form of social engineering. Attackers send fraudulent emails or messages that appear to…
contact

Our Team

Name(Required)
This field is for validation purposes and should be left unchanged.
On Load
Where? .serviceMM
What? Mega Menu: Services