What is the purpose of ROE and scope description in a penetration test document?

The rules of engagement and scope description establish the boundaries and legal framework for a penetration test. The rules of engagement specify what is allowed and what is not—including acceptable testing techniques, data handling, escalation paths, reporting formats, contact procedures, testing windows, and safety constraints. The scope description clearly defines which assets are in scope (systems, networks, applications, locations), what is out of scope, any exclusions, and the testing timeline. Together they make sure testers operate within agreed-upon limits, comply with legal and contractual requirements, and avoid unintended impact to production or policy violations. They also set mutual expectations for what will be tested, how findings will be reported, and what constitutes success. This focus is distinct from documenting a network topology, assigning risk ratings, or proposing budget, which are addressed in other parts of the engagement process.