Penetration Testing Rules of Engagement
Penetration Test Preparation Form
Introduction
Describe the purpose of pentesting and what this report contains. Include assumptions about how this report will be used and by whom. A copy will be provided to the client.
Testing Methodology
Briefly describe enough detail to help management understand the pentesting process.
Preparation – Finalize all agreed upon tasks, responsibilities, limitation, and requirement that define this pentesting engagement
Reconnaissance – Passive information gathering
Enumeration – Active information gathering
Exploitation – The actual attempts to exploit potential vulnerabilities
Demonstrating Intrusion – Record of each successful intrusion
Post Engagement Reporting and Debriefing – Provide the report, and remediation advice as needed
Rules of Engagement
The following list includes the specific items necessary for the planning and performance of an authorized Penetration Test Engagement. This information and all other preparatory tasks must be completed before the actual pentest work begins.
In the section below, address each row with a signature or comment.
Agreement Item |
|
Authoritative Client Representative – The person authorized to agree to the stipulations in this document. |
Name printed:
Signature:
|
Current Date and Time |
|
Client Contact Name – This is the person the pentester can contact for further information, coordinating the engagement, and real-time assistance. |
|
Email Address |
|
Office Phone |
|
Cell Phone |
|
Primary Pentester – Full name |
|
Email address |
|
Phone Number |
|
Cell Phone Number |
|
|
|
Target Host(s) – 127.0.0.1 |
|
Target Host Name(s) – |
|
Timeframe – Start and end dates of active tasks |
|
Start Date of Active Tasks – Tasks that interact with the target systems. |
|
Estimated Completion Date of Active Tasks |
|
Backups – The pentest operator will insure that backups are created and verified of the system(s), data, applications, configurations and all else that is needed in order to recover from an unexpected, unintentional, or destructive event. |
|
Disruption – The client acknowledges that there is the possibility of disruption caused by the pentesting tasks. While disruption is not intended, it could occur in the form of system unavailability, operating system disruption, slowed response time, and other unforeseeable changes to the systems typical operation. |
|
Tasks/Techniques limitations - Note that avoiding being logged, tampering with logs, and altering production/system data or code are all considered out-of-scope. |
|
Denial of Service |
|
Social Engineering |
|
Online Password Guessing |
|
Establishing a remote shell |
|
Acquiring host identifying information |
|
Deliverables - A PDF report of the findings and suggested remediation will be securely delivered to the client. |
|
|
|
|
|
|
|
|
|
|
|