833-847-3280
Schedule a Call

What Are Rules of Engagement in Pen Testing?

Computer with MainNerve Rules of Engagement document open on it

If you think the Rules of Engagement sound like a war movie, you’re not alone.  In the penetration testing world, it’s more about cyber warfare, indirectly.

What is it?

Proactive penetration testing can help combat would-be attackers by identifying vulnerabilities before they do.  The Rules of Engagement, or ROE, is a document that any reputable penetration testing company should put in place before testing begins.

The Rules of Engagement

ROE is the scope, or limits, of the tests. The ROE includes the dates and times that testing will be performed; what IP addresses the tester will be using to conduct the tests, and what devices or web applications will be in scope, specifically identified by IPs and urls. The ROE may also include a list of IPs or hostnames that off limits, or out of scope.

It should have the penetration tester’s contact information or someone who can directly assist you during testing.  There may be times where you will want to speak with the tester, especially if things are transpiring on your network during the active testing.

This happened to a client of MainNerve’s.  The client’s internet line was not up and running at the time of their annual penetration test. This is most likely because of a fiber cut from construction.  The client called to see if it was from MainNerve testing, but our tester hadn’t engaged yet.

The Rules of Engagement and MainNerve

The Rules of Engagement provides information on how the tester will communicate with your team.  MainNerve testers will always reach out before testing to ensure that your team is aware he or she will be actively engaging your systems.  Additionally, if there are any high or critical vulnerabilities, you will be notified immediately.

There should be a game plan as to what will transpire with the data discovered during testing, and a listed project schedule secondary to multi-day testing.  The ROE should also define the methodology, or approach, employed during testing, such as black box, grey box, or white box.

The importance of Rules of Engagement cannot be overstated.  They define what is to be tested, how it is to be tested, and when it is to be tested. It identifies the testers and gives you a clear line of communication to them, and they to you. They give clear limits and requirements to ensure that the systems and services you need to be tested are tested and that any systems you do not want tested are not.

Latest Posts

A transparent image used for creating empty spaces in columns
AI Pen Testing: Why Auditors Are Right to Ask Questions
AI is everywhere in cybersecurity right now. AI-powered threat detection, AI-driven security analytics, and AI-assisted vulnerability management. And increasingly, AI- or automated pen testing platforms are promising to replace human penetration testers. The pitch is compelling: continuous testing, faster results, lower costs, and no need…
A transparent image used for creating empty spaces in columns
Network Segmentation Failures: When One Breach Becomes Total Compromise
Your network probably looks like an open-floor-plan office. Once someone’s inside, they can go anywhere, talk to anyone, access anything. There are no walls, no locked doors, and no restricted areas. For an office space, that might encourage collaboration. For a network, it’s a security…
A transparent image used for creating empty spaces in columns
How to Implement Network Segmentation That Actually Protects You
You know network segmentation is important. You’ve heard that flat networks enable attackers to move laterally and turn a single compromise into a full breach. But how do you actually implement segmentation? What zones do you create? What firewall rules enforce them? Where do you…
A transparent image used for creating empty spaces in columns
Unpatched Systems: The Network Vulnerability Hiding in Plain Sight
Every organization knows they should patch their systems. It’s basic security hygiene, right up there with using strong passwords and backing up data. Yet unpatched vulnerabilities remain one of the most common entry points in actual breaches. Not because patching is complicated or expensive, but…
A transparent image used for creating empty spaces in columns
The Boat Is Always Taking on Water: Why Security Maintenance Never Ends
Web application security is like maintaining a boat. You inspect the hull, find a small crack, patch it, and continue sailing. A week after that, you find another crack. You patch that too. The week after that? Another crack. This continues indefinitely because boats are…
A transparent image used for creating empty spaces in columns
Multi-Factor Authentication: The Difference Between Staying Secure and Getting Breached
 Your password isn’t enough anymore. It doesn’t matter how strong it is. It doesn’t matter if it’s 16 characters with special symbols and numbers. And it doesn’t matter if you’ve never written it down or shared it with anyone. Passwords alone are no longer…
More Posts
contact

Our Team

This field is for validation purposes and should be left unchanged.
Name(Required)
quick links to

Our Services

  • Network Penetration Testing
    •
  • Web Application Penetration Testing
    •
  • API Testing
    •
  • Mobile Application Penetration Testing
    •
  • WiFi Testing
    •
  • Web Application Vulnerability Scanning
    •
  • Security Risk Assessments
    •
    call our security experts 833-847-3280

    833-847-3280

    X-twitter Facebook-f Google Linkedin-in Threads

    Careers

    On Load
    Where? .serviceMM
    What? Mega Menu: Services
    Call
    Visit

    833-847-3280

    201 E Pikes Peak Ave Suite 2025
    Colorado Springs, CO 80903