Red Team Rules of Engagement.
Drop-in ROE for adversary simulation.

An ROE your counsel will sign on first read.

• →12 sections, editable DOCX plus a reference PDF render
• →Pre-built authorisation block with named exec sponsor and tester lead lines
• →Allowed and prohibited TTP tables — explicit, not implied
• →Deconfliction protocol including the safe-word and 24/7 contact pattern
• →Escalation-trigger table aligned to the four most common engagement failure modes

All twelve sections at a glance.

1. 01

   Authorisation & signatures

   Named exec sponsor, named tester lead, dated authorisation block, validity window, the explicit statement that this letter is the get-out-of-jail-letter if a tester is challenged.

2. 02

   Objectives & success criteria

   Three or four named objectives (e.g. obtain a domain admin token, exfiltrate a sample of crown-jewel data to an external bucket, prove EDR-bypass on the standard build). Each with a measurable success criterion.

3. 03

   In-scope targets

   IP ranges, domains, cloud account IDs, AD forests, mobile apps, third-party integrations — each tagged with confidence level (high / medium / low) and tier (crown jewel / supporting / out).

4. 04

   Out-of-scope & no-touch list

   Production DBs, regulated systems with separate sign-off chains, named partner integrations, individuals (no social engineering on named exec accounts unless explicitly opted in), DoS-sensitive endpoints.

5. 05

   TTPs allowed

   Initial access vectors permitted (phishing, vishing, OSINT, exposed credentials, physical drops), post-exploitation (lateral movement, C2, persistence, privilege escalation), data-handling, screenshots, evidence collection.

6. 06

   TTPs prohibited

   Destructive payloads, ransomware-style file changes, persistence that survives engagement, exfil of real PII / cardholder data / PHI (use marked canary data instead), tampering with backup or recovery systems.

7. 07

   Test windows & rate limits

   Allowed engagement windows in UTC and local time, blackout windows (quarter-end close, planned change freezes, named promo events), per-host scan rate caps, concurrency caps on auth attempts.

8. 08

   Deconfliction & trusted agents

   Named trusted agents on the blue side (typically two people), 24/7 deconfliction phone numbers, the deconfliction protocol (what to say, what to verify), the safe-word that confirms a tester action.

9. 09

   Escalation triggers

   Mandatory pause if: a tester gains code execution on a system tagged crown-jewel, data egress exceeds the agreed sample size, an active incident response begins blue-side, or a real adversary signal is detected.

10. 10

    Evidence handling

    Where evidence is staged, encryption-at-rest requirements, retention window, secure-destruction commitment, exclusion of real customer data from screenshots and logs.

11. 11

    Reporting & purple-team replay

    Draft delivery window, executive summary, technical findings, MITRE ATT&CK mapping, optional purple-team replay session, retest expectations on remediated detective controls.

12. 12

    Insurance, NDA, jurisdiction

    Tester-side professional indemnity and cyber liability floors, mutual NDA reference, governing law, data-residency commitments for evidence storage, sub-contractor disclosure.

Pair this ROE with.