ROE, ethics hats, methodologies, and ACME engagement close
Foundations program engagement: defined White/Black Hat boundaries and Rules of Engagement; mapped Information Gathering, OSSTMM, and OWASP methodologies; closed a guided ACME infrastructure exercise with THM{PENTEST_COMPLETE}.
- Case files
- ROE, ethics hats, methodologies, and ACME engagement close
Briefed authorized audit vs criminal intrusion; documented ROE sections; selected methodology frameworks; completed ACME staged pentest exercise.
Captured ethics/ROE answers and the ACME engagement artifact.
Engagement summary
Briefed authorized audit vs criminal intrusion; documented ROE sections; selected methodology frameworks; completed ACME staged pentest exercise.
PENTESTING FUNDAMENTALS established the legal and process baseline before any technical work. Authorized security audit activity is White Hat; stealing data without permission is Black Hat. The controlling document is the Rules of Engagement — permission, test scope, and allowed techniques. Methodology stages begin with Information Gathering (public/OSINT only — no scanning). Telecom-oriented testing references OSSTMM; web application focus uses OWASP. Scope models: Black Box (no internals), Grey Box (limited knowledge — common for pentests), White Box (full source/logic). Guided ACME infrastructure exercise walked the agreed stages end-to-end and closed with THM{PENTEST_COMPLETE}. Client takeaway: no tool run precedes signed ROE and a methodology matched to the asset class.
Business impact
Work outside ROE is unauthorized access — legal and insurance exposure. Wrong methodology (network playbook on a web app) wastes budget and misses the real attack surface. Document hat/ethics expectations so staff escalate moral conflicts (e.g. sensitive data in scope) to the white cell / engagement manager.
ROE vocabulary and ACME close
Captured ethics/ROE answers and the ACME engagement artifact.
BASELINE
pentest-baseline.txt
Authorized audit → White Hat
Criminal data theft → Black Hat
Governing document → Rules of Engagement
Public intel stage → Information Gathering
Telecom framework → OSSTMM
Web app framework → OWASP
No source access → Black Box
Full source access → White BoxANALYST · PROGRAM
savvy@lab:~$ cat engagement/acme_complete.txt
THM{PENTEST_COMPLETE}
Remediation
Template ROE from a recognized source (e.g. SANS) before every engagement. Map deliverables to OWASP/OSSTMM/NIST as appropriate. Keep ACME-style dry runs in onboarding so new operators never touch production without process fluency.