Case file

ROE, ethics hats, methodologies, and ACME engagement close

Foundations program engagement: defined White/Black Hat boundaries and Rules of Engagement; mapped Information Gathering, OSSTMM, and OWASP methodologies; closed a guided ACME infrastructure exercise with THM{PENTEST_COMPLETE}.

Foundations18 minPenetration Testing · ROE · Ethics · Methodology
  • Briefed authorized audit vs criminal intrusion; documented ROE sections; selected methodology frameworks; completed ACME staged pentest exercise.

  • Captured ethics/ROE answers and the ACME engagement artifact.

01

Engagement summary

Briefed authorized audit vs criminal intrusion; documented ROE sections; selected methodology frameworks; completed ACME staged pentest exercise.

PENTESTING FUNDAMENTALS established the legal and process baseline before any technical work. Authorized security audit activity is White Hat; stealing data without permission is Black Hat. The controlling document is the Rules of Engagement — permission, test scope, and allowed techniques. Methodology stages begin with Information Gathering (public/OSINT only — no scanning). Telecom-oriented testing references OSSTMM; web application focus uses OWASP. Scope models: Black Box (no internals), Grey Box (limited knowledge — common for pentests), White Box (full source/logic). Guided ACME infrastructure exercise walked the agreed stages end-to-end and closed with THM{PENTEST_COMPLETE}. Client takeaway: no tool run precedes signed ROE and a methodology matched to the asset class.

Business impact

Work outside ROE is unauthorized access — legal and insurance exposure. Wrong methodology (network playbook on a web app) wastes budget and misses the real attack surface. Document hat/ethics expectations so staff escalate moral conflicts (e.g. sensitive data in scope) to the white cell / engagement manager.

02

ROE vocabulary and ACME close

Captured ethics/ROE answers and the ACME engagement artifact.

BASELINE

pentest-baseline.txt

Authorized audit     → White Hat
Criminal data theft  → Black Hat
Governing document   → Rules of Engagement
Public intel stage   → Information Gathering
Telecom framework    → OSSTMM
Web app framework    → OWASP
No source access     → Black Box
Full source access   → White Box

ANALYST · PROGRAM

savvy@lab:~$ cat engagement/acme_complete.txt

THM{PENTEST_COMPLETE}

Remediation

Template ROE from a recognized source (e.g. SANS) before every engagement. Map deliverables to OWASP/OSSTMM/NIST as appropriate. Keep ACME-style dry runs in onboarding so new operators never touch production without process fluency.