Rules of Engagement
Identification
| Field | Value |
|---|---|
| Client Organization | |
| SOW Reference | CYN-SOW- |
| Engagement Type | |
| Testing Start Date & Time | |
| Testing End Date & Time | |
| Cynetix Lead Tester | |
| Cynetix Tester IP Addresses | |
| Client Technical POC |
Emergency Contacts & Stop Procedures
| Priority | Contact | Role | Phone (24/7) | |
|---|---|---|---|---|
| 1 β Primary | Cynetix Lead Tester | |||
| 2 β Secondary | Cynetix Project Manager | |||
| 3 β Escalation | Client Technical POC | |||
| 4 β Executive | Client Executive Sponsor |
Emergency Stop Phrase: " " β Upon receipt of this phrase via any channel, testing will stop immediately.
Secure Communication Channel: β Signal β WhatsApp β Email β Phone only
Authorized (In-Scope) Systems
Testing is ONLY permitted against the following assets. Any systems not explicitly listed below are out of scope and shall not be tested.
2.1 Network / IP Ranges
| IP Range / CIDR | Description | Environment | Owner Confirmed |
|---|---|---|---|
| β Prod β Stage | β Yes | ||
| β Prod β Stage | β Yes | ||
| β Prod β Stage | β Yes |
2.2 Web Applications / APIs
| URL / Endpoint | Application Name | Auth Required | Test Type |
|---|---|---|---|
| β Yes β No | β Auth β Unauth β Both | ||
| β Yes β No | β Auth β Unauth β Both | ||
| β Yes β No | β Auth β Unauth β Both |
2.3 Cloud Accounts / Tenants
| Provider | Account / Tenant ID | Services in Scope | Authorization Obtained |
|---|---|---|---|
| β AWS β Azure β GCP β Other | β Yes |
2.4 Mobile Applications
| App Name | Platform | Version | Test Build |
|---|---|---|---|
| β iOS β Android | β Prod β Test IPA/APK provided |
Explicitly Out-of-Scope Systems & Actions
The following are strictly prohibited during this engagement:
3.1 Out-of-Scope Systems
3.2 Prohibited Actions
- β Denial of Service (DoS) or Distributed DoS attacks of any kind;
- β Physical access to Client facilities (unless explicitly authorized in SOW);
- β Testing systems belonging to third parties not listed in Section 2;
- β Exfiltration of real customer PII, PHI, or payment data beyond proof-of-concept (a single sample record is sufficient);
- β Permanent modification or deletion of Client data;
- β Installation of persistent backdoors without documented Client approval;
- β Use of ransomware or any destructive malware;
- β Targeting of employees' personal devices;
- β Social engineering of Client employees outside the authorized scope;
- β Other:
Testing Constraints & Special Conditions
4.1 Permitted Testing Hours
β Unrestricted (24/7) β Testing may occur at any time
β Business hours only β to local time, MondayβFriday
β After-hours only β Testing must occur outside business hours
β Custom window:
4.2 Destructive / High-Risk Testing
| Activity | Permitted | Conditions / Notes |
|---|---|---|
| Buffer overflow / memory corruption exploits | β Yes β No | |
| Active exploitation of findings (not just PoC) | β Yes β No | |
| Password spraying / brute force | β Yes β No | Max attempts: |
| Phishing email campaigns | β Yes β No | Target list required in advance |
| Lateral movement post-compromise | β Yes β No | |
| Domain controller / AD attacks | β Yes β No | |
| Ransomware simulation | β Yes β No | Isolated test systems only |
| Physical access testing | β Yes β No | Locations: |
4.3 SOC / SIEM Notification
β Blind test β Client's security team will NOT be notified. Test SOC detection capabilities.
β Informed test β Client's security team WILL be notified of testing dates/times.
β Partial β SOC notified of testing dates but not scope or methods.
If any test activity triggers an incident response, Client's security team should contact Cynetix at the emergency contact numbers in Section 1 before escalating to law enforcement.
4.4 Data Handling During Testing
- Cynetix testers will capture the minimum data necessary to demonstrate vulnerability impact;
- Any real PII or sensitive data accessed will be documented and reported β not retained;
- All testing data (screenshots, logs, notes) stored by Cynetix will be encrypted at rest and in transit;
- Testing data will be retained for 90 days post-engagement and then securely deleted unless otherwise agreed.
Credentials & Access Provided
The following test credentials, VPN access, or API keys are being provided to Cynetix for this engagement. Client is responsible for revoking all access immediately upon engagement completion.
| Type | Username / ID | Access Level | System / Application | Expiry |
|---|---|---|---|---|
| VPN | ||||
| App User | Standard User | |||
| App Admin | Admin | |||
| Cloud IAM Role |
Passwords and secrets shall be transmitted via a separate secure channel (not included in this document).
Client Acknowledgements
By signing this document, Client acknowledges and agrees that:
- β All systems listed in Section 2 are owned by or under the lawful control of Client;
- β All necessary third-party authorizations (cloud providers, ISPs, hosting providers) have been obtained;
- β Client's legal counsel has reviewed and approved this engagement;
- β Testing activities may cause temporary performance degradation on tested systems;
- β Client has notified its cyber insurance carrier of the scheduled engagement;
- β Client understands that no penetration test can guarantee complete security;
- β Client accepts responsibility for obtaining appropriate authorizations from any co-tenants in shared cloud environments.
Authorization Signatures
Both parties must sign before any testing activity commences. This document serves as the binding technical authorization for the engagement.