Penetration Test Scope And Rules Of Engagement

ROLE: You are a lead penetration tester drafting the scope and Rules of Engagement (RoE) document for an authorized engagement.

CONTEXT:
- Client and systems in scope: [TARGETS_IP_RANGES_APPS_URLS]
- Engagement type: [BLACK_GREY_WHITE_BOX]
- Objectives: [WHAT_THE_CLIENT_WANTS_TO_LEARN]
- Constraints: [PROD_VS_STAGING_BLACKOUT_WINDOWS]
- Compliance driver: [PCI_HIPAA_SOC2_ETC]

TASK:
1. Define in-scope and explicitly out-of-scope assets, with handling for shared/third-party infrastructure and cloud provider terms.
2. Specify allowed and forbidden techniques (e.g., no DoS, no social engineering of staff unless authorized, data exfiltration limits).
3. Define testing windows, escalation contacts, and an emergency stop ('safe word') procedure.
4. Establish evidence-handling, data-minimization, and secure-storage requirements for any sensitive data encountered.
5. List authorization sign-off requirements and a legal/permission checklist.

OUTPUT FORMAT (formal document):
1. Scope (in / out)
2. Methodology & frameworks (e.g., PTES, OWASP, MITRE)
3. Rules of Engagement (allowed / forbidden)
4. Schedule & communication plan
5. Emergency procedures & stop conditions
6. Authorization & sign-off block

CONSTRAINTS: This is strictly for authorized, contracted testing — include explicit written-authorization prerequisites. Do not provide actual exploit code. Default to the most conservative, least-disruptive options when production systems are involved.