how tobeginnerReviewed May 18, 2026
Rules of engagement
Tell the agent what to test, what to avoid, and how much impact is acceptable.
Recommended fields
- Mission objective.
- Testing posture.
- Impact tolerance.
- Rate limit.
- Blast-radius or testing window.
- Excluded services, paths, subdomains, or third parties.
- Forbidden techniques.
- Prior knowledge and operator notes.
Example rules
- Use synthetic test accounts only.
- No destructive testing in production.
- Avoid payment capture endpoints.
- Stop at proof of concept once data exposure is confirmed.
- Run active probes outside business hours.