Classroom Glossary Public page

Lab 1: Rules of Engagement Drafting

659 words

Week 1 graded lab. Written exercise. No tools required.

Learning objectives

  • Identify all required components of a professional Rules of Engagement document
  • Write scope language precise enough for a second tester to determine in under 30 seconds whether any given target is in or out of scope
  • Distinguish between a Statement of Work, Rules of Engagement, and authorization letter

Scenario

You have been retained by Meridian Financial Partners, a small investment advisory firm with 12 employees in a single-office location. They have one on-premises Windows file server, a managed-hosted public website (hosted by a third-party provider), and a small LAN with five Windows workstations. They use Microsoft 365 for email and have never had a penetration test.

The engagement is scoped as an internal network assessment. The managing partner has authorized the test. Your engagement start date is one week from today.

Specifically authorized:

  • The on-premises LAN: 192.168.10.0/24
  • The file server: 192.168.10.5

Specifically excluded:

  • The managed-hosted public website (hosted by a third-party provider; that provider has not authorized testing)
  • The Microsoft 365 environment (cloud provider; Microsoft has a separate authorization process)
  • Any traffic leaving the 192.168.10.0/24 range

Deliverable

A 1-2 page Rules of Engagement document covering all of the following components. Write it as a real document: professional formatting, complete sentences, no bullet-point placeholders.

Required sections:

1. Contact information

  • Client technical contact: name, phone, email, hours available
  • Client executive contact: the individual who authorized the test
  • Pentesting firm lead: your name and contact
  • Emergency escalation: the chain of contact if you find active compromise or accidentally cause a service disruption (24-hour contacts if the client authorizes testing outside business hours)

2. Authorized scope

  • Exact IP ranges and/or hostnames in scope in CIDR notation
  • Any specific hosts or services that are explicitly excluded from the authorized range (e.g., the managed-hosted website)
  • Third-party systems the client uses that require separate authorization before testing

3. Testing window

  • Authorized testing dates
  • Authorized testing hours (business hours only, or 24/7, or specific windows)
  • Time zone

4. Authorized test types (list each as Authorized or Prohibited)

  • Port scanning and service enumeration
  • Vulnerability scanning
  • Exploitation of discovered vulnerabilities
  • Social engineering (phishing, phone calls)
  • Physical security testing
  • Denial-of-service testing
  • Web application testing
  • Wireless testing

5. Fragile systems

Any system the client has flagged as sensitive to disruption. In this scenario: ask what software the file server is running that is business-critical. If you are uncertain, the conservative default is to avoid any action that could crash a service on a production host.

6. Incident escalation

  • What to do if you find evidence of an active (non-your-test) breach in progress
  • What to do if you accidentally crash a service
  • What to do if you accidentally reach a system outside the authorized scope

7. Deliverables and timeline

  • Report format: PDF with executive summary + technical findings
  • Report delivery date
  • Oral debrief: yes/no; format; attendees

8. Data handling

  • How sensitive data encountered during the test (passwords, PII, financial records) is stored and when it is destroyed
  • How the final engagement report is transmitted (encrypted email, secure portal)

9. Authorization statement

A paragraph (not just a signature line) affirming that the undersigned individual has the authority to authorize penetration testing of the stated systems and has read and agreed to the terms above.

Grading criteria

The lab is graded on three dimensions:

Scope precision (40%): Can a second tester determine in under 30 seconds whether any given IP address is in or out of scope? The scope section must use CIDR notation with explicit exclusions. "The internal network" is not sufficient.

Completeness (40%): All nine sections above are present and filled with substantive content (not placeholders).

Professional tone (20%): The document reads as one you would hand a real client to sign. No informal language, no technical jargon without definition, clear and direct sentences.

Submission

Submit the ROE document as a PDF or Markdown file to the course submission system before the Week 2 class.