Rules of Engagement
SAB Security's clear rules of engagement: written authorization required, safe external checks only, no destructive testing, no social engineering, no credential theft. Germany-based.
Clear boundaries. Clear trust.
We don't just tell you what we do — we also tell you what we don't do. These boundaries create the trust our work is built on.
What we require
What we never do
Our full commitment
Every assessment requires explicit written authorization from an authorized representative of the target organization before any review activity begins. Verbal approval is never sufficient.
We review only the URLs, domains, and systems explicitly listed in the written authorization. We never expand scope without additional written approval.
We do not perform any testing that could affect website availability, performance, or functionality. No stress testing, no load testing, no flooding.
We never target employees, contractors, or partners with phishing, pretexting, impersonation, or any form of social manipulation.
We do not attempt to guess, crack, or test passwords, API keys, or any other credentials. We do not attempt authentication bypass.
We never attempt to access, download, or exfiltrate any private data, customer information, databases, or internal documents.
We do not test payment systems for bypass vulnerabilities. Payment testing requires separate, specialized authorization.
By default, we perform only passive, external observation. Any active testing requires explicit additional authorization and scope definition.
Trust through transparency
We publish these rules publicly because trust cannot be built on ambiguity. If you are considering working with SAB Security, these rules tell you exactly what to expect — and what will never happen.
Questions about our rules? Contact us at info@sab-security.net. We are happy to discuss any aspect of our engagement rules before you commit to working with us.