Hour 2 of 8

Ethical Hacking Foundations

Hats · Authorization · Scope · Rules of Engagement

~55 min3 interactive labs

CEH Objectives ▸ Differentiate white/black/grey/red/blue/purple/green hats · Define authorization, scope, RoE, and legal exposure · Recognise unethical/illegal behaviour even when 'helpful'

OP. PAPER-SHIELD

Mission Brief

Glasshouse signed your test — but the engagement letter is two paragraphs of vague language. Before you touch a single packet, you must turn that into a defensible Rules-of-Engagement document. The wrong word here is a criminal record.

▸Classify 6 actions as ethical / unethical / illegal

▸Validate that an RoE covers scope, timing, contacts, get-out-of-jail

▸Decide go/no-go on three real-world authorization scenarios

Story · The friend who 'just took a look'

Three years ago a freelance pentester named Marcus got a casual ask from a friend who ran a SaaS startup: 'see if you can break in, I'll buy you dinner'. No paperwork. He found an IDOR, dumped 4,000 user records to show severity, and emailed a PDF report.

Two weeks later his front door was knocked on at 06:00. The startup's lawyers had escalated to the police because the dump showed exfiltration of PII without written authorization. The 'verbal' agreement vanished in negotiation.

The CFAA in the US, the Computer Misuse Act in the UK, India's IT Act §43/§66 — none of them care how nice your intent was. Authorization in writing, with scope, time-box, signatories and contacts, is the only thing standing between you and the same knock.

Trainer · Core Concepts

The hat colours

WHITE = authorised, ethical, helps defenders. BLACK = unauthorised, criminal intent. GREY = blends — may break the law without malicious intent (vigilante disclosure). BLUE = defender / SOC. RED = offensive emulation team. PURPLE = red + blue collaborating live. GREEN = curious newcomer learning. Hats describe authorisation + intent, not skill.

Authorization — the only line that matters

Authorization must be: WRITTEN, SIGNED by someone with authority over the asset, SCOPED to specific systems/IPs/URLs, TIME-BOXED with start and end, with named POINTS OF CONTACT both sides, and ideally include a 'get-out-of-jail' letter you can present to law enforcement. No paperwork = no engagement. Period.

Scope — explicit IN, explicit OUT

Scope lists exact targets (IPs, domains, applications, accounts) and exclusions (production payment processors, third-party SaaS, customer data exfiltration limits). Anything not listed is assumed OUT. 'Test the whole environment' is not scope — it's an invitation to disaster.

Rules of Engagement (RoE)

Beyond scope, RoE answers: WHAT actions are permitted (passive recon, active scan, exploitation, social engineering, DoS)? WHEN can you act (windows, blackout periods)? HOW do you handle sensitive data you discover? WHO do you contact on a critical finding mid-test? WHAT triggers an emergency stop? Sign two copies.

Bug bounty ≠ pentest authorization

A bounty programme's 'safe harbour' clause IS a form of authorization but only for the scope and methods listed. Testing an out-of-scope subdomain because 'it's the same company' is still unauthorized access. Read the policy before every test.

Knowledge Map · drag to explore

core

Written Authorization

Signed contract listing scope, time, contacts

core

Scope

Explicit targets in/out

core

Rules of Engagement

Permitted methods, timing, escalation

ethical

White Hat

Authorised, ethical

ambiguous

Grey Hat

Acts without authorization but without malicious intent

illegal

Black Hat

Unauthorised, criminal intent

ethical

Red Team

Authorised adversary emulation

ethical

Purple Team

Red + Blue collaboration

risk

Legal Exposure

CFAA / CMA / IT Act §43/§66

Micro Labs

CLASSIFY

Lab 4 · Ethical vs Illegal Classifier

Tag each action assuming no prior written authorization unless stated.

Items · drag to a bucket

Run nmap against a client's IP listed in a signed SoW during the agreed window

Run nmap against a random company because 'they look insecure'

Reveal a client's critical finding to a competitor's CISO 'as a heads-up'

Submit a vulnerability via an out-of-scope subdomain on a bug-bounty programme

Send a phishing email to your client's employees with HR-approved SE clause in RoE

Brute-force the login of an ex-employer 'to prove a point'

0/6 placed

CLASSIFY

Lab 5 · Rules of Engagement Validation

Review this draft RoE. Mark each clause as PRESENT, MISSING, or DANGEROUSLY VAGUE.

Items · drag to a bucket

'Test the entire production environment'

Scope IPs listed: 203.0.113.10–203.0.113.40, app.glasshouse.test

Test window: 2026-06-15 00:00 IST → 2026-06-29 23:59 IST

Emergency stop contact: (no entry)

'Social engineering allowed if reasonable'

DoS testing permitted against load-balanced staging only, NOT prod

Handling of discovered PII: (no entry)

0/7 placed

DECISION

Lab 6 · Authorization Decision Simulator

Three scenarios land in your inbox. Decide GO / NO-GO / HOLD and pick the right reason.

SCENARIO 1

Client CTO replies 'yes go ahead, start tonight' via Slack. Master Services Agreement is signed but no Statement of Work for THIS engagement yet.

SCENARIO 2

Bug-bounty researcher asks you to 'collaborate' on a Fortune 500 target. Their account has safe-harbour for in-scope assets only. They want to test an out-of-scope CRM 'because they bought the company last week'.

SCENARIO 3

Internal red-team engagement. CISO signed SoW. Mid-test you discover a critical RCE in a SaaS the client uses (Slack, Zoom-like). Do you exploit it?

0/3 decided

Knowledge Check

1. Which alone makes a security test legal?

2. Acting without authorization but without malicious intent describes a…

3. Purple teaming is best described as…

4. The single most important element of a Rules of Engagement document is…

0/4 answered

Challenge · Spot the Booby-Trapped Engagement

You're handed: an email from a Director ('go ahead, I cleared it'), a 5-line scope ('everything internet-facing'), and a 'do whatever it takes' instruction. List THREE things you must demand before sending one packet.

CEH v13 Exam Focus

★★★★☆

Frequently tested

·Hat colour definitions (white/black/grey/red/blue/purple/green)
·Required elements of authorization & RoE
·Bug-bounty safe-harbour scope limits
·Pentest types: black-box / grey-box / white-box, external/internal/red-team/purple-team

Memory tricks

·SWAT — Scope, Window, Authorization-signed, Termination contact: must be in every RoE.
·Hat = Authorization + Intent. Skill doesn't change the colour.

Common traps

⚠Verbal/Slack approval being treated as authorization in answer options.
⚠Confusing grey hat (no auth, no malice) with white hat (auth + ethics).
⚠Assuming 'bug bounty programme' = blanket permission for everything the company owns.

Rapid revision

▸Black-box = zero prior knowledge
▸Grey-box = limited info / standard user creds
▸White-box = full source + architecture
▸Red team = goal-oriented adversary emulation
▸Purple team = red + blue working together live

Interview Prep

Hour 1: Why Cybersecurity Exists Hour 3: Threat Actors & Attack Vectors