Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
Pentesting without explicit written authorisation is illegal in most jurisdictions — the difference between security work and computer-misuse charges is a signed contract. Every engagement starts with a written Rules of Engagement (RoE): in-scope assets, out-of-scope assets, test windows, allowed techniques, emergency contacts, deliverable format. The RoE is the contract; nothing happens before it's signed.
Sample RoE clauses: 'Scope: *.acme.com web tier, excluding payments.acme.com. Timing: 22:00-06:00 GMT, Mon-Fri. Forbidden: denial-of-service, social engineering of customers (employees in scope), data exfiltration beyond proof-of-concept (1KB max). Emergency: +44 7700 900123, available 24/7. Deliverable: written report within 7 days of engagement end.'
Use these three in order. Each builds on the one before.
In one paragraph, explain why authorisation is the foundation of pentesting.
Walk me through drafting an RoE for an external web pentest.
Design RoE language for a continuous pentest engagement (red team retainer).