Before starting a penetration test, what is required regarding the ROE?

Before starting a penetration test, you need a formal, written set of Rules of Engagement that clearly defines what is allowed, what isn’t, when the testing occurs, how data will be handled, and how findings will be reported. Putting the ROE in writing creates a concrete, referenceable boundary that helps prevent scope creep, misinterpretation, and potential legal issues. The emphasis here is on the written form. Having the ROE documented ensures all parties share the same expectations and can refer back to a defined agreement during the engagement. While in many contexts you’ll also see sign-offs to formalize consent, the essential element is that the ROE exists in a written document. Informal or verbal agreements do not provide the same reliable protection or clarity, which is why a written ROE is the best standard practice.