Rules of Engagement Vs. SOW

Hi all, long time lurker sitting for PT0-001 next week. I'm feeling pretty good about all of the topics except for SoW and RoE. (I know, dumb) Can someone please explain the difference between Rules of Engagement (RoE) and a Statement of Work (SoW)? Both documents seem like they include the same types of information. I've read Omar Santos' book, as well as the Raymond Nutting book, but cant seem to distinguish the difference. Any help would be great!

Find more posts tagged with

RoE

SoW

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

DZA_

My understanding that for Statement of Work (in the context of consulting or business) will define what deliverables will be created/handed over when engaged in a project or a business transaction. For example:

Statement of work:

- Delivery a pair of firewalls configured in high-availability

- Configure web application firewall functionality for cross side scripting / input validation

- Define and configure network to support firewall appliances

In the context of pen testing (and correct me if I'm wrong guys for those who are in the field) is the restrictions or how you perform when you're conducting the pen test, for example:

- Can only perform pen testing after business hours (8:00 PM)

- Limited to using only certain penetration tools

- Provided limited knowledge of the network or full knowledge of the network

Cheers,

JDMurray

If the SoW does not include a pentest then there will be no need for an RoE agreement.

yoba222

Based on my work experience, SOW is what you promise to do and ROE is what you promise not to do.

ovechtrick

Thank you all for your comments!

walterbyrd

Seems to be grey area. For example, a list of IP ranges test, with instructions to not touch anything else. SOW or ROE?

JDMurray

That clearly ROE. The rules state, "test only the hosts accessible at these IP addresses." The SOW indicates the actual work (i.e., testing) that is to be performed on those IPs.

iBrokeIT

walterbyrd said:

Seems to be grey area. For example, a list of IP ranges test, with instructions to not touch anything else. SOW or ROE?

That is the ROE. Think of the ROE as the technical parameters that define scope of the test on your network.

The SOW is the business contract that defines the scope of the services that will be performed for $x. What type of testing? (Blackbox?,Crystal box?, exclude Social Engineering?) When does the testing start? Duration? (1 week, 2 weeks, ect..) What is the deliverable? When will you receive it? ect..