Planning & Scopping

Before we can do a PenTest we must first figure out what should be tested. This is the scope of the test. The scope of a test will determine what can be done and how the pentesters time will be spent. You must work with a person or an organization to determine what the scope will be and gain an understanding of the following:

• Why is this test being done?

• Is this for compliance or business needs?

• What systems, services, and networks should be tested?

• What time can the systems, services and networks be tested?

• What cannot be accessed or tested?

• Are there are techniques that should be avoided?

• Is there any information that should not be accessed?

• Who should the final report be sent to?

Visit The Penetration Testing Execution Standard site as it is a great resource and can provide valuable information that can help you throughout this course and later when conducting a pentest.

Rules of engagement (RoE) are guidelines and agreements that outline the scope, limitations, and expectations of a pentest. They are established between the organization undergoing the test (the client) and the team performing the test (the penteste). Keep in mind that the RoE can vary, but I have provided below some example items that you might see in a RoE.

1. Scope: The RoE should clearly define the systems, networks, applications, or infrastructure that are within the scope of the pentest. It specifies what is permitted to be tested and what should be excluded from the assessment.

2. Testing Methods: The RoE should outline the specific techniques, tools, and approaches that are permissible during the pentest. It clarifies the rules and limitations regarding the use of various attack vectors, social engineering techniques, and exploitation methods.

3. Timing and Schedule: The RoE may specify the duration of the pentest, including start and end dates. It should also include any blackout periods or specific times when testing should be avoided to minimize disruption to business operations.

4. Legal and Compliance Considerations: The RoE should address legal and compliance requirements. It should ensure that the pentest is conducted within the bounds of applicable laws, regulations, and industry standards. Any necessary permissions, waivers, or legal documentation should be defined.

5. Reporting and Documentation: The RoE should outline the format, content, and timeline for delivering the pentest report. It may specify the level of detail expected, including vulnerabilities discovered, recommended remediation steps, and an executive summary.

6. Data Protection and Confidentiality: The RoE should address the protection of sensitive data and ensure that appropriate measures are in place to safeguard confidential information obtained during the pentest. It may include provisions for data handling, encryption, storage, and destruction.

7. Communication Channels: The RoE may define the channels and contacts through which the pentester can communicate with the client. It ensures a clear line of communication for sharing findings, clarifying questions, and coordinating actions during the assessment.

8. Incident Response and Escalation: The RoE should outline procedures for reporting and handling any unintended impact or incidents that occur during the pentest. It should establish the protocols for escalating critical issues and engaging the appropriate personnel.

9. Limitations and Exclusions: The RoE should explicitly state any restrictions or exclusions, such as not targeting certain systems or avoiding certain types of attacks. It ensures that the pentest is conducted within the agreed-upon boundaries.

10. Termination Clause: The RoE may include provisions for terminating the pentest in case of unforeseen circumstances or if the client or pentester believes it is necessary to stop the assessment.

By establishing clear rules of engagement, both the client and the pentester can have a mutual understanding of the objectives, boundaries, and expectations of the pentest. This helps ensure a productive and effective assessment while maintaining a controlled and secure testing environment.

The Contract

Statement of Work (SOW): defines the specific tasks, deliverables, timelines, and expectations for a project or engagement. It is typically created as part of a contract or agreement between a client and a service provider or vendor. The SOW outlines the scope of work and provides a detailed description of the project's objectives, requirements, and deliverables.

Master Service Agreement (MSA): a contractual agreement between two parties that establishes the terms and conditions for future transactions or engagements. It serves as a framework or foundation for the ongoing business relationship between the parties involved. 

Service Level Agreement (SLA): a contractual agreement between a service provider and a customer that outlines the level of service expected and the metrics used to measure and ensure the quality of that service.

Statement of Objectives (SOO): a document that outlines the high-level goals, requirements, and desired outcomes of a project, program, or contract.

Nondisclosure Agreements (NDAs): a legal contract between two or more parties that aims to protect sensitive information or trade secrets shared between them.

Confidentiality Agreements (CA): Another name for a NDA.