In pen testing, the rules of engagement is a document or section of a document that outlines how the pen testing is to be conducted. They describe the expectations of the client and the rights and limitations of the test team.

Some facets of the rules of engagement are described in this table.




The timeline of a pen test engagement is a clear enumeration of the tasks that are to be performed as part of the engagement, and the individuals or teams responsible for performing those tasks. As the engagement progresses, stakeholders can use the timeline as a progress indicator, and adjust it as needed during the engagement to account for any unexpected events. The timeline is often shared with stakeholders in a Gantt chart format.

Location of test team

The location of the test team in relation to the client organization needs to be agreed upon. Depending on factors such as how many locations an organization occupies, whether or not remote installations are in different nations, and what sort of remote technology is available to access multiple locations, the parties should agree and record the amount of travel required, if any, to conduct the pen test.

Temporal restrictions for testing

When the actual test begins, are there constraints on the days and times that the testing can be performed?

Transparency of testing

At the client organization, who will know about the pen testing?

For the test team, what information will be provided prior to the start of the engagement?

Test boundaries

What's being tested, and what is not?

Define the acceptable actions, such as social engineering and physical security tasks

If invasive attacks, such as DoS attacks, are part of the testing, are there any restrictions on their use?