In a rules of engagement, what information should typically be limited to after compromising a target host?

In a rules of engagement, controlling what you collect after compromising a target host is all about limiting exposure and risk. The safest, most appropriate scope is to gather configuration information only—details about the system’s state such as OS version, installed patches, running services, user accounts and permissions, network settings, and security controls. This kind of information helps you assess security posture and identify misconfigurations without touching or exfiltrating sensitive data. Access to customer data, a full system dump, or off-network data exfiltration would broaden the scope far beyond what is typically permitted in ROE and could violate privacy, legal, and contractual constraints, as well as raise the risk of harm. Therefore, focusing on configuration information aligns with the principle of least exposure while still enabling meaningful assessment.