Skip to main content
Stealth Layer Security
Back to Blog
PROCESS

Rules of Engagement That Actually Work

7 min read

Rules of Engagement are one of the most important parts of a professional security assessment. They define what is allowed, what is prohibited, who is authorized to make decisions, and how testing should be handled if unexpected risk appears.

A well-written Rules of Engagement document protects both the client and the testing team. It keeps the assessment focused, reduces business disruption, and ensures that testing remains authorized, controlled, and useful.

Why Rules of Engagement Matter

Security testing without clear boundaries can create confusion. Teams may disagree about which systems are in scope, whether certain techniques are allowed, or how quickly an issue should be escalated.

Rules of Engagement remove that uncertainty. They create a shared operating model before testing begins.

A strong Rules of Engagement document should answer:

  • Which assets are in scope?
  • Which assets are out of scope?
  • What testing windows are approved?
  • Which techniques are prohibited?
  • Who should be contacted during an incident?
  • What evidence can be collected?
  • How should critical findings be reported?
  • What happens if sensitive data is encountered?

Scope Must Be Specific

Scope should never be vague. A statement such as "test our website" is not enough. The document should list domains, subdomains, IP addresses, applications, APIs, cloud accounts, test accounts, and environments.

For example, instead of saying:

"Test the customer portal."

Use:

"In scope: https://app.examplecorp.test, https://api.examplecorp.test/v1, staging environment only, using the approved test accounts listed in the authorization document."

Specific scope prevents accidental testing of third-party systems, production assets, or environments that were not approved.

Authorization Comes First

Professional testing must be authorized in writing before any technical activity begins. Written authorization should include the client name, asset owner, approved scope, testing window, emergency contacts, and signature or approval from the responsible party.

This is not just a legal formality. It is an operational safeguard.

Authorization confirms that the client understands what will be tested and that the testing team has permission to proceed.

Define Prohibited Activities

Every assessment should clearly state what is not allowed. Common prohibited activities include:

  • Denial-of-service testing
  • Destructive payloads
  • Social engineering
  • Physical security testing
  • Accessing real customer data
  • Persistence mechanisms
  • Malware deployment
  • Testing outside the approved scope

This ensures the engagement stays safe and aligned with business risk tolerance.

Escalation Should Be Clear

If a critical vulnerability is discovered, the testing team should not wait until the final report. Critical findings should be escalated quickly through the approved communication channel.

A good Rules of Engagement document should define:

  • Who receives urgent notifications
  • How urgent issues are reported
  • Expected response times
  • When testing should pause
  • How remediation guidance is delivered

Final Thought

Rules of Engagement are not paperwork for the sake of paperwork. They are the control layer that makes security testing professional, safe, and useful.

At Stealth Layer Security, testing begins only after written authorization, confirmed scope, and agreed Rules of Engagement.

Back to Blog