Penetration testing

Rules of engagement in pentesting

Susan Morrow
November 20, 2019 by
Susan Morrow

When you create a software product or build a service or create a platform, it’s a good idea to make sure it is secure. The data we generate is feeding the cybercriminal appetite to the point that cybersecurity attacks are normalized. To check we have created robustly secure systems, we can turn to the discipline of Pentesting.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

What is pentesting?

Penetration testing, or pentesting for short is a discipline that has been around in one form or another for decades. It is a method used to look for security vulnerabilities in an IT system, such as a web application or online service. Usually, a pentest is carried out by security specialists who probe the system in question, acting as a cybercriminal would, to find flaws and ‘ways in’.

OWASP has created a set of industry standard testing guides for the discipline. They also produce their ‘Top Ten’ series of vulnerabilities to help focus tests on core known vulnerabilities. In addition, the Penetration Testing Execution Standard (PTES) published the ‘Pentest Standard’ which goes through the seven main areas that the process of pentesting uses: This includes intelligence gathering, vulnerability analysis, and reporting.

All in all, pentesting is a skilled job that requires high levels of attention to detail and a deep knowledge of IT system security. It is also, however, by its very nature, a job that requires an individual to have intimate knowledge of sensitive data and entry to normally restricted areas of a company. Pentesting requires a company to have a deep level of trust in the company and individuals carrying out the pentests.

This leads to the main discussion we need rules of engagement and codes of conduct in pentesting?

A tale of two pentesters

The ethical issues of pentesting can be complicated and the waters muddy. A recent case between a pentest company Coalfire and Iowa Judicial Council begs the question, “when does a pentest go too far?”

The case highlights the fine line that can be crossed between a pentest event and a genuine breach of security. In the case, two pentesters have been accused of ‘burglary’ by breaking and entering the premises of the client. The pair were arrested in the courthouse around midnight after setting the alarm off. Their defense is that they were engaged to check the physical security of buildings as part of the overall pentest contract. The case has caused much discussion amongst the security community. Were the men genuinely carrying out the job as contracted or was this a ruse to actually burgle the Iowa Judicial Council? The case appears to come down to the finer details of what the company was contracted to do. The contract appears to specifically point out that they will NOT test alarms or force doors, both of which happened in the case.

Whatever the outcome, somewhere during contract creation or thereafter, the pentesters failed to communicate their intentions. The code of conduct of these pentesters is now on trial. 

The example above is an important one as it opens up the discussion about ethics and rules of engagement in pentesting.

Code of conduct for pentesting

Pentesters’ raison d’etre is to break into systems. They want to find flaws; they probe the inner workings of your IT systems and services to find ways in which cybercriminals will otherwise locate. Therefore, there needs to be a strong code of conduct for anyone in the industry. If not, you may end up with good pentesters gone bad.

There are industry bodies to help with this. The Council of Registered Ethical Security Testers (CREST) has developed a code of conduct (CREST, 2014) that pentesters adhere to. If you are an individual pentester or a company that offers pentesting services, you can become CREST Accredited.

There have also been models that attempt to provide guidance on penetration testing ethics. One such model was developed in 2006 by Pierce, The team’s work presents a taxonomy of penetration ethics that can be used as a basis for a work agreement, for example. There have been some criticisms of this model, however, and it is not a certification standard, as that offered by CREST. However, it can be used as a basis for developing ethical standards that you would expect when engaging a pentest team.

On an individual basis, there are a number of certification bodies that provide training and certification for pentesters. Many pentest-specific certifications will detail a pentester code of conduct as part of the training. Others, such as the UK’s The Cyber Scheme (“TCS”) place a high emphasis on maintaining a code of conduct as a pentester.

Conclusion: Trust in pentesting

Can we truly ever trust pentesters? Although there is always an element of risk when allowing anyone into your confidence, it is fair to say that if a pentesting company has a reputation to uphold, they will be less likely to lose it by acting unethically. However, it makes sense that you should always vett your choice of pentester. Take references from previous clients, check accreditation and certification, ask probing questions, and use your gut reaction too. After all, you will be effectively allowing them to hack into your system, see sensitive company data, and if they do turn out to be the bad guy, they could sell this info to your competitors.

Whatever measures you use to check your pentesters' ethical status, rogue actors are always a risk. However, pentesting is an extremely useful way to batten down the hatches in a cybersecurity landscape where data breaches and cyber-attacks are increasingly common. Ultimately, you must decide if the benefits of having your IT systems pentested in this aggressive cybersecurity environment, balance against the risk of a pentester gone bad. The use of codes of conduct within your agreement along with recognized certification and accreditation can certainly help to mitigate that risk.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.


  1. Infosec Institute, The Types of Penetration Testing
  2. OWASP
  3. Penetration Testing Execution Standard 
  4. Secure World Expo
  5. CREST Accredited companies
  7. Infosec Institute, Top 10 Penetration Testing Certifications for Security Professionals
Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.