Pen Test Rules of Engagement: What You Need to Consider

Posted: August 12, 2021

In the first post of our series, Security Assessment 101: Planning a Successful Security Assessment, we detailed some of the points necessary to plan a successful security assessment, and we defined the various types of assessments organizations need to periodically conduct if they want to be sure their security posture is in good shape. In this post, we’re going to take a deeper dive into one aspect that’s critical when it comes to setting up a successful penetration test: the rules of engagement.

There’s a lot that can go wrong with a penetration test where the rules of engagement aren’t understood. The poor understanding of a penetration test’s rules of engagement can (and has) led to security professionals being arrested and held in jail. That’s an extreme example. Yet, at best, the failure to set and operate within proper rules of engagement for your penetration tests will mean your organization doesn’t become as secure as it possibly could from the exercise.

Essentially, rules of engagement (RoE) are meant to list the details of the penetration test. That’s the details behind what exactly will be tested when it will be tested, how it will be tested, and who the primary contacts will be throughout the engagement. This way, those conducting the penetration test and the organization being tested will know precisely what to expect from the test. And, when the assessment is complete, you’ll be able to make the best possible decisions to prioritize any changes to systems and security due to the findings from the test.

Developing effective rules of engagement

When developing an effective RoE, one of the apparent aspects (but still sometimes overlooked) is establishing the specifics of what will be evaluated. For instance, an external penetration test is a test intended to analyze external systems. But how will that test be conducted? Are any systems to be off-limits? Are there time limitations for active testing? What IP addresses and domains will be in the scope of the test? All of these types of decisions need to be made and detailed within your RoE.

Going through this type of exercise is very important, as many details must be contemplated. Consider all of the decisions that should be made when reviewing web applications. Will there be static pages or dynamic pages evaluated? Is the source code available for review? Will the test include staging systems as well as production systems? What should levels of access to the application be? Will the assessor be given authentication to the application for any parts of the test? If access is attained and the application compromised, is it ok to extract data as proof?

It’s essential to consider the handling of key data systems, production systems, protected sensitive data, and high-value targets. This will make sure that the right level of testing is being conducted, and the assessment team will be able to correctly estimate the number of people who will be needed for the assessment and how long it will likely take to complete.

It’s essential to work with your service provider to help detail all of these aspects of scope, but it’s not all that is required for a successful penetration test. One of the most common mistakes is not correctly scoping the assessment within the RoE.

To get the proper scope established, it’s crucial to have all of your key stakeholders actively involved throughout the process. This is true whether the assessment is required because of a particular regulatory demand or as part of an internal security check or security policy. Typically, these requests come down from a manager or executive who needs the assessment. Ensure that they’re not the only part of the discussions but also include technical teams, security teams, application owners, and others who may have valuable input.

When it comes to getting the most value out of an engagement, most organizations make the mistake of under-scoping the assessment. For instance, many times, a company will have an idea of what they need assessed, such as a network they want to target, but they don’t know all of the applications that should be in scope. Or, they have an application in mind but don’t consider supporting systems, integrations, and related applications. It’s not until the assessment gets underway that the teams realize a proper penetration test requires many additional applications, and systems also need to be evaluated. That’s certainly not an ideal situation.

Additionally, there should be meetings scheduled by dates or milestones so that the penetration assessment team can keep you up to date with their status, what they’ve found, and review any potential changes, challenges that arose, and assistance needed if applicable. Good communication in the form of reports and reviewing documented progress is essential to get the most value from the assessment.

Finally, be sure both the assessment team and your team have project managers in place to help pull the exercise together. The assessment team should have their own project manager who would manage the consultants and make sure that the project runs smoothly, but it’s also important that the company being assessed also has a project manager to make sure communication remains healthy, and everyone has access to the resources they need.

Penetration tests are a vital part of ensuring networks and applications are as secure as necessary. That’s why getting them right is so important, and developing an effective set of rules of engagement will go a long way to ensuring that you get the best penetration test possible.


This blog was written by Jimmy Mejia, Principal Security Consultant at Set Solutions