833-847-3280
Schedule a Call

What Are Rules of Engagement in Pen Testing?

Computer with MainNerve Rules of Engagement document open on it

If you think the Rules of Engagement sound like a war movie, you’re not alone.  In the penetration testing world, it’s more about cyber warfare, indirectly.

What is it?

Proactive penetration testing can help combat would-be attackers by identifying vulnerabilities before they do.  The Rules of Engagement, or ROE, is a document that any reputable penetration testing company should put in place before testing begins.

The Rules of Engagement

ROE is the scope, or limits, of the tests. The ROE includes the dates and times that testing will be performed; what IP addresses the tester will be using to conduct the tests, and what devices or web applications will be in scope, specifically identified by IPs and urls. The ROE may also include a list of IPs or hostnames that off limits, or out of scope.

It should have the penetration tester’s contact information or someone who can directly assist you during testing.  There may be times where you will want to speak with the tester, especially if things are transpiring on your network during the active testing.

This happened to a client of MainNerve’s.  The client’s internet line was not up and running at the time of their annual penetration test. This is most likely because of a fiber cut from construction.  The client called to see if it was from MainNerve testing, but our tester hadn’t engaged yet.

The Rules of Engagement and MainNerve

The Rules of Engagement provides information on how the tester will communicate with your team.  MainNerve testers will always reach out before testing to ensure that your team is aware he or she will be actively engaging your systems.  Additionally, if there are any high or critical vulnerabilities, you will be notified immediately.

There should be a game plan as to what will transpire with the data discovered during testing, and a listed project schedule secondary to multi-day testing.  The ROE should also define the methodology, or approach, employed during testing, such as black box, grey box, or white box.

The importance of Rules of Engagement cannot be overstated.  They define what is to be tested, how it is to be tested, and when it is to be tested. It identifies the testers and gives you a clear line of communication to them, and they to you. They give clear limits and requirements to ensure that the systems and services you need to be tested are tested and that any systems you do not want tested are not.

Latest Posts

A transparent image used for creating empty spaces in columns
Meeting the Mark: PCI DSS 4.0 Penetration Testing Reporting
As cyber threats grow more complex and persistent, regulatory frameworks like PCI DSS 4.0 have evolved to demand more rigorous and transparent security practices. One of the key updates in PCI DSS 4.0 is the enhanced requirement for penetration testing reports, pushing organizations to go…
A transparent image used for creating empty spaces in columns
Penetration Test Report Analysis: How to Understand and Act on Findings
A penetration test, also known as a pen test, is a crucial cybersecurity measure that enables organizations to identify vulnerabilities in their networks, applications, and security controls. However, the real value of a penetration test lies in how well an organization can interpret the findings…
A transparent image used for creating empty spaces in columns
PCI DSS 4.0: Security Controls with Penetration Testing
The release of PCI DSS 4.0 introduces significant enhancements to the security landscape, particularly in the area of security controls and penetration testing. While penetration testing has always been a critical component in identifying vulnerabilities within a network or system, the updated PCI DSS standards…
A transparent image used for creating empty spaces in columns
Custom Social Engineering Tests vs. Generic Ones
Social engineering attacks remain one of the most effective ways cybercriminals gain access to sensitive information, systems, and financial assets. Phishing, pretexting, baiting, and other manipulative tactics exploit human psychology, making it difficult to defend against using technical measures alone. Organizations often use social engineering…
A transparent image used for creating empty spaces in columns
PCI DSS 4.0: A Layered Penetration Testing Approach
 With the release of PCI DSS 4.0, penetration testing requirements have evolved to enforce a layered approach to security. This update ensures that organizations assess vulnerabilities at both the network and application layers, creating a more comprehensive security posture to protect payment card data.…
A transparent image used for creating empty spaces in columns
The Ultimate Guide to Web Application Security Testing
Web applications are at the core of digital business operations, making them a prime target for cybercriminals. A successful attack on a vulnerable web application can lead to data breaches, financial losses, reputational damage, and compliance violations. To safeguard against these risks, organizations must conduct…
More Posts
contact

Our Team

Name(Required)
This field is for validation purposes and should be left unchanged.
quick links to

Our Services

  • Network Penetration Testing
    •
  • Web Application Penetration Testing
    •
  • API Testing
    •
  • Network Vulnerability Scanning
    •
  • Mobile Application Penetration Testing
    •
  • WiFi Testing
    •
  • Web Application Vulnerability Scanning
    •
  • Security Risk Assessments
    •
    call our security experts 833-847-3280

    833-847-3280

    Careers

    On Load
    Where? .serviceMM
    What? Mega Menu: Services
    Call
    Visit

    833-847-3280

    201 E Pikes Peak Ave Suite 2025
    Colorado Springs, CO 80903