After exploit, what should you ensure you stay within to limit actions?

The main concept being tested is staying within the agreed testing boundaries. The Rules of Engagement define exactly what actions you’re allowed to take, on which targets, during what times, and under what data-handling and escalation rules. After you’ve exploited a vulnerability, sticking to the ROE keeps your activity legal, measured, and aligned with the client’s risk tolerance, preventing scope creep or unintended disruption. The project scope sets which assets are in scope but doesn’t spell out the day-to-day conduct of exploitation; the vulnerability remediation plan is about fixing issues after discovery, not guiding tester actions; the incident response playbook is for reacting to real breaches, not for limiting tester behavior during an engagement. So, you stay within the Rules of Engagement.