Ethical boundaries and rules of engagement

Red teaming operates in a grey area: simulating attacks without causing harm. Clear boundaries prevent problems.

Written authorisation: Always have explicit written permission from appropriate authority before any red team activity. “The CEO said it’s fine” isn’t enough.

Scope limitations: Document exactly what systems, networks, and facilities are in scope. Test nothing outside scope, ever.

Data handling: Define how sensitive data encountered during exercises is handled. Encrypt, minimise collection, destroy after exercise.

Third-party systems: Unless explicitly authorised, never attack third-party systems, cloud providers, or external organisations.

Criminal activity: Never cross the line into actual crime. No real fraud, extortion, destruction, or harm to individuals.

Operational boundaries

Do not harm criteria: Define specific conditions that immediately stop the exercise: production outage, data destruction, safety risk, unintended access to regulated data.

Communication channels: Establish emergency contact methods if something goes wrong. Red team must be able to immediately reach defenders or leadership.

Disclosure timing: Decide when blue team learns about the exercise. Continuous purple teaming involves real-time collaboration. Traditional red teaming might wait until exercise completion.

Physical security: Define limits on physical access attempts. Can red teamers tailgate into buildings? Pick locks? Clone badges? Social engineer receptionists?

Social engineering: Set boundaries on human manipulation. Are employees fair game? What about targeting specific individuals? Pretexting that causes genuine distress?

Safety valves

Stop word or signal: Establish a mechanism to immediately halt operations if something goes wrong.

Regular check-ins: Red team periodically confirms with exercise manager that operations remain within bounds.

Observer role: Sometimes a third party monitors operations to ensure compliance with rules of engagement.

Post-exercise disclosure: Reveal all activities to defenders even if some actions weren’t detected. Full transparency enables complete learning.