# Rules of Engagement ## Overview The **Rules of Engagement** document is one that we have to sign with the client after the **Quote** and the **Master Service Agreement signed.** This document lays out exactly what you **CAN** and **CAN'T** do. Reading it thoroughly and follwoing it ensures that there won't be any legal issues in the future if you have an oopsies. ## Basics of an ROE * Roles and Responsibilities * Penetration team * Client company * Customer Point of Contact (CPOC) * Person from the client company that is responsible for direct communication and coordination with the penetration team in case things go down * Penetration Team Point of Contact * Rules of Engagement * Dates of Test - Start to Finish * Disclosures and Status Updates * Scope * CIDR Networks * Individual IP addresses * **NOTHING OUTSIDE OF THE SCOPE SHOULD BE ATTACKED** * Malware Emulation Testing * Heads up that malware may be dropped onto the system * Make sure the client notifies the penetration team if they detect it; Kudos to the client * Bounds of the test * Stop Point and Keeping access * Announcement * Any scanning wont be announced by the client to their staff * Project Closure - a week or two after the assessment ended * Post Mortem - Giving a report to explain attacks and findings * Out of Scope * Denial of Service (DoS) attacks against production infrastructure * Social engineering attacks * We are strictly attacking the **infrastructure** and **not people** * **DO NOT DO THE THINGS LISTED** * Disclaimer * Stating you may use commercial or common tools that may impede system performance, crash production systems and permit unapproved access * State that the client understands this * Acceptance * **DO NOT** perform a penetration test until the document is signed * Always double and triple checked that it is signed --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pnpt.adot8.com/external-pentest-playbook/before-starting/rules-of-engagement.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.