Rules of Engagement is a document that is created at the initial stages of a pentesting engagement. This document consists of three main sections, which are are ultimately responsible for deciding how the engagement is carried out.
[!tip] It's not the same as sow
This might be a bit tricky, but SOW is what you promise to do and ROE is what you promise not to do.
- Permission
- gives explicit permission for the engagement to be carried out This permission is essential to legally protect individuals and organisations for the activities they carry out.
- Test Scope
- annotates specific targets to which the engagement should apply (e.g. certain servers, or apps, but not the entire network)
- Rules
- defines exactly the techniques that are permitted during the engagement, e.g. phishing attacks are prohibited, but MITM is okay