Rules of engagement (RoE)
Definition
The written contract or pre-test agreement that defines the authorised scope, permitted techniques, excluded systems, test window, escalation contacts, and emergency stop criteria for a penetration test. Without a valid RoE, a penetration test may constitute unauthorised computer access under applicable law.
Related terms
- Attestation letter
- A formal document issued by a qualified assessor, such as a PCI Qualified Security Assessor (QSA) or an ISO 27001 certification body,...
- Common Vulnerability Scoring System (CVSS)
- A standardised scoring framework that rates vulnerability severity on a 0-10 scale using base metrics (attack vector, complexity, privileges required, user interaction,...
- Red team exercise
- A full-scope adversary simulation in which a team of testers uses the full range of attack techniques (technical, social engineering, and physical)...
- Remediation verification test
- A targeted re-test conducted after an organisation has applied fixes to vulnerabilities identified in the original penetration test. The re-test confirms that...
- Scope creep
- The unintended expansion of a penetration test beyond the agreed boundaries, either because testers follow a vulnerability chain into an out-of-scope system...
Explained in
- Penetration Testing Scope and Audit InterfaceThe written contract or pre-test agreement that defines the authorised scope, permitted techniques, excluded systems, test window, escalation contacts, and eme...