The Rules of Engagement (ROE) document describe and govern the how part of a red team engagement. It details out the methodology that will be used to conduct the engagement. It includes do’s and don’ts and necessary approvals for the engagement. It also describes the deconfliction process to deal with any unexpected outcomes or unrelated issues identified during the engagement. It assigns responsibility to and establishes accountability of red team and respective stakeholders via a legal responsibility disclaimer.

ROE must be adhered to during all phases of the engagement and any deviations must be explicitly approved and documented. At minimum, a ROE document should describe the following:

• Systems in scope

• Source addresses from which attacks will be launched. This is required for deconfliction purposes

• Methodology and general techniques that will be used

• Tools that will be leveraged during the engagement

• Minimum qualifications for personnel conducting the engagement. This may include required trainings, certifications etc.

• Activities the red team is allowed and not allowed to conduct on compromised systems

• Requirements, restrictions and authority

• Ground rules

• Rules, guidance and restrictions related to social media campaigns

• Resolution of issues / Points of Contact (PoC)

• Authorization

• Safety guidelines (privacy, critical exploits etc.)

• Escalation of forces i.e. activities which cannot be conducted without approval

• Incident handling procedures and deconfliction process

• Logging procedures

• Red team activity review guidelines

A template for creating a ROE document is available here. A real-world example of ROE is available in the GitLab Handbook.

Red Team Notes
- The Rules of Engagement (ROE) outline the methodology, scope, and guidelines for a red team engagement, including allowed activities, responsibilities, and approval processes. It ensures accountability, describes deconfliction procedures, and mandates adherence during all phases, with explicit documentation of any deviations.
- The ROE must be revised whenever there are changes to the target space, authorized actions, objectives, or scope.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.

The ROE must be revised whenever there are changes to the target space, authorized actions, objectives, or scope. For example, if the initial scope is restricted to computer network attacks and plans for physical attacks are introduced, the ROE must be updated to account for the new activities and associated controls. The Red Team Lead will evaluate and incorporate recommendations or adjustments to the ROE. Outcomes of each review must be communicated to the originator. The finalized ROE requires approval from a Trusted Agent within the senior management of the target environment.

To learn more about rules of engagement, I recommend that you check out the following resources:

• Red Team Development and Operations by Joe Vest and James Tubberville.

• Professional Red Teaming by Jacob G. Oakley

• Rules of Engagement (ROE) Planning