833-847-3280
Schedule a Call

What Are Rules of Engagement in Pen Testing?

Rules of Engagement

If you think the Rules of Engagement sound like a war movie, you’re not alone.  In the penetration testing world, it’s more about cyber warfare, indirectly.

What is it?

Proactive penetration testing can help combat would-be attackers by identifying vulnerabilities before they do.  The Rules of Engagement, or ROE, is a document that any reputable penetration testing company should put in place before testing begins.

The Rules of Engagement

ROE is the scope, or limits, of the tests. The ROE includes the dates and times that testing will be performed; what IP addresses the tester will be using to conduct the tests, and what devices or web applications will be in scope, specifically identified by IPs and urls. The ROE may also include a list of IPs or hostnames that off limits, or out of scope.

It should have the penetration tester’s contact information or someone who can directly assist you during testing.  There may be times where you will want to speak with the tester, especially if things are transpiring on your network during the active testing.

This happened to a client of MainNerve’s.  The client’s internet line was not up and running at the time of their annual penetration test. This is most likely because of a fiber cut from construction.  The client called to see if it was from MainNerve testing, but our tester hadn’t engaged yet.

The Rules of Engagement and MainNerve

The Rules of Engagement provides information on how the tester will communicate with your team.  MainNerve testers will always reach out before testing to ensure that your team is aware he or she will be actively engaging your systems.  Additionally, if there are any high or critical vulnerabilities, you will be notified immediately.

There should be a game plan as to what will transpire with the data discovered during testing, and a listed project schedule secondary to multi-day testing.  The ROE should also define the methodology, or approach, employed during testing, such as black box, grey box, or white box.

The importance of Rules of Engagement cannot be overstated.  They define what is to be tested, how it is to be tested, and when it is to be tested. It identifies the testers and gives you a clear line of communication to them, and they to you. They give clear limits and requirements to ensure that the systems and services you need to be tested are tested and that any systems you do not want tested are not.

Latest Posts

A transparent image used for creating empty spaces in columns
Penetration Testing in PCI DSS 4.0: A Proactive Defense Strategy
The latest version of the Payment Card Industry Data Security Standard (PCI DSS 4.0) has made it clear that penetration testing is no longer a mere compliance checkbox—it’s a critical security measure that every business handling cardholder data must prioritize. The updated standard introduces a…
A transparent image used for creating empty spaces in columns
Common Methods of Social Engineering Attacks
Social engineering attacks come in many forms, each tailored to exploit specific vulnerabilities. Types of Social Engineering Attacks Here are some of the most common methods: Phishing Phishing is the most prevalent form of social engineering. Attackers send fraudulent emails or messages that appear to…
A transparent image used for creating empty spaces in columns
Defending Cardholder Data: Why Penetration Testing for PCI DSS is Essential
In today’s rapidly evolving cybersecurity landscape, protecting sensitive cardholder data has become more critical than ever. With the rise of sophisticated cyberattacks, meeting compliance requirements such as PCI DSS (Payment Card Industry Data Security Standard) is essential—not just for avoiding fines but also for maintaining…
A transparent image used for creating empty spaces in columns
The Business Case for Penetration Testing
In the ever-evolving world of cybersecurity, penetration testing (pen testing) stands out as a critical component of an effective defense strategy. For MSPs (Managed Service Providers) and MSSPs (Managed Security Service Providers), the value of pen testing goes beyond identifying vulnerabilities—it’s about proving value to…
A transparent image used for creating empty spaces in columns
PCI DSS 4.0 Compliance Requirements for Different Merchant Levels
 With less than three months remaining until the deadline for PCI DSS 4.0 compliance, now is the time to assess your business’s status and determine what steps you need to take. The Payment Card Industry Data Security Standard (PCI DSS) sets security requirements to…
A transparent image used for creating empty spaces in columns
Understand Attack Surfaces: Types, Vectors, and How to Protect Your Org
In today’s increasingly digital world, organizations face a growing number of threats from cybercriminals seeking to exploit weaknesses in systems, networks, and even human behavior. Understanding your attack surface—the totality of vulnerabilities and entry points an attacker could exploit—is essential for protecting your business. Whether…
More Posts
contact

Our Team

Name(Required)
This field is for validation purposes and should be left unchanged.
quick links to

Our Services

  • Network Penetration Testing
    •
  • Web Application Penetration Testing
    •
  • API Testing
    •
  • Network Vulnerability Scanning
    •
  • Mobile Application Penetration Testing
    •
  • WiFi Testing
    •
  • Web Application Vulnerability Scanning
    •
  • Security Risk Assessments
    •
    call our security experts 833-847-3280

    833-847-3280

    Careers

    On Load
    Where? .serviceMM
    What? Mega Menu: Services
    Call
    Visit

    833-847-3280

    201 E Pikes Peak Ave Suite 2025
    Colorado Springs, CO 80903