A penetration tester is developing a rules of engagement document for a client. Which TWO elements should the tester include to ensure proper scope boundaries?
Clear definition of the target systems is essential for scope.
Why this answer
The rules of engagement should clearly define what is in scope and how to handle findings. Target IP addresses and subnets (B) specify the scope of systems to test, and escalation procedures (D) outline how to communicate critical findings. While authorized tools (A) may be listed, they are not scope boundaries; privileged credentials (C) are sometimes provided but not a scope boundary; emergency contact info (E) is typically part of incident response, not ROE scope.