Ethical Hacking in Italy: Operational Methodology and Legal Framework for Penetration Testing

You've been hired to test the security of an Italian company. Are you sure you know what you can legally do and what you cannot? A boundary mistake between authorized testing and system intrusion can cost you criminal charges. We, at Meteora Web, see it too often: technically skilled professionals neglecting the legal side, and companies asking for "ethical hacking" without understanding what they are authorizing. This is not academic theory: this is how to run a penetration test while complying with Italian law, from contract to final report.

Ethical Hacking Methodology: Operational Phases

A penetration test follows a structured process. Each phase has legal and technical implications. Here are the five main phases as we apply them in our clients’ projects.

1. Reconnaissance

Gather public information about the target: DNS, WHOIS, social networks, search engines, Shodan. No direct interaction with systems yet. Legally, this phase is generally lawful if you use only open sources. However, if you use social engineering (phone calls, simulated phishing), you must have it contractualized. We, at Meteora Web, always include in the contract a list of authorized techniques, including social engineering.

2. Scanning and Enumeration

Here you start interacting with systems: port scans, service fingerprinting, user and resource enumeration. Every packet sent is technically an unauthorized access if not covered by authorization. Italian law punishes unauthorized access to a computer system (Article 615-ter of the Criminal Code) even if attempted. So: no Nmap without a signed document specifying the IPs and allowed techniques.

3. Vulnerability Exploitation

The most critical phase. Attempting to gain access to a system using a vulnerability is exactly what the criminal code aims to prevent. If you have a written, detailed authorization (with precise limits: e.g., do not go beyond a specific service), you are covered. If you overstep, even slightly, you are in illegal territory. We recommend separating the exploitation phase into two sub-phases: a proof-of-concept (PoC) that demonstrates the vulnerability without causing damage, and only then authorized escalation.

4. Post-Exploitation and Persistence

Once inside, what do you do? Install backdoors to test persistence? Much depends on the test objectives. In Italy, installing software on someone else's system without explicit authorization is a crime (Article 615-quater c.p. - possession and spreading of access codes). The practical rule: any action beyond a simple vulnerability demonstration must be written in black and white.

5. Reporting and Remediation

The final phase: document everything. The report must include vulnerabilities found, impact, proof of concept, and recommendations. Caution: the report itself may contain sensitive information. It must be protected (encryption, delivery to designated person). We deliver the report as a digitally signed PDF and delete it from our systems after 30 days, unless otherwise agreed.

Italian Legal Framework for Ethical Hacking

Italy does not have a specific law regulating ethical hacking, but the regulatory framework consists of several criminal code articles, privacy laws, and sector guidelines.

Key Criminal Code Articles

• Article 615-ter (Unauthorized access to a computer or telematic system): the main one. Punishes anyone who abusively penetrates a protected system. Covers even attempts. Penalties increase if damage occurs or if committed by a public official.
• Article 615-quater (Unlawful possession and spreading of access codes): punishes possession or distribution of passwords, keys or other means to access systems. A penetration tester must never keep production credentials without explicit authorization.
• Article 615-quinquies (Dissemination of programs designed to damage or interrupt a system): covers malware, viruses, but also exploit scripts. If you use Metasploit to create a reverse shell, you are distributing a potentially harmful program.
• Article 635-bis (Damage to information, data and computer programs): covers alteration or deletion of data. In a penetration test you must never destroy data without authorization.

Cybersecurity Regulations and GDPR

Legislative Decree 105/2019 (transposition of the NIS Directive) imposes security obligations on operators of essential services and digital service providers. An ethical hacker testing a NIS subject must coordinate with the DPO and respect incident notification procedures. GDPR (Reg. EU 2016/679) requires tests to be proportionate and any personal data acquired to be processed according to minimization and protection principles. We, at Meteora Web, have managed the ERP system of a clothing store from the inside: we know what it means to handle sensitive data during a test. That's why every penetration test we run includes a specific clause on personal data processing.

Sector Guidelines

The National Cybersecurity Center (CNAIPIC) and AgID have published best practice documents for penetration tests in public administration. The NIST SP 800-115 is an international reference, but in Italy it must be integrated with local regulations. Associations like CLUSIT offer an ethical code for professionals.

How to Structure a Legal Penetration Test in Italy

Here are the operational steps we always follow, based on our experience.

1. Detailed Contract (Penetration Testing Agreement)

Must include: test object (IPs, URLs, applications), period, working hours (outside business hours?), allowed techniques (none, passive only, automated only, with social engineering), limits (do not test critical production systems without a replica), responsibilities, and insurance coverage. We always require a professional liability policy specifically for penetration testing activities.

2. Scope Definition Document

A separate document from the contract, signed by both parties, with a specific list of addresses and services in scope and out-of-scope. Also include stop criteria: if you find personal data, if you cause downtime, if you detect illegal activity during the test.

3. Rules of Engagement (RoE)

Here you specify: communication methods (if you find a critical vulnerability, do you notify immediately?), credential handling (do not save them, only use them for PoC), timelines, and escalation procedures. We, at Meteora Web, use an RoE template based on the OWASP Testing Guide, customized for each client.

4. Execution and Monitoring

During the test, keep a log of all actions: every command, every payload. This log is your evidence of compliance with the contract. In case of dispute, it proves you did not exceed the limits.

5. Report and Data Destruction

Deliver the report and then delete all collected data (logs, screenshots, credentials) within the agreed timeframe. Have the client sign a delivery receipt.

Common Mistakes to Avoid

• No signed contract before the test: even if the client is a friend, don't do it. A test without authorization is a crime.
• Using automated tools without understanding their impact: a scanner like Nessus can crash a server. The contract must cover this risk.
• Storing test results on public cloud: it's a privacy violation if it contains personal data.
• Not updating authorizations for repeated tests: an old contract does not hold for a new test if the scope has changed.

In Summary — What to Do Now

If you are about to run a penetration test in Italy, take these immediate actions:

1. Download the Penetration Testing Agreement template from OWASP (https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies) and adapt it to Italian law with the help of a cybercrime lawyer.
2. Create a detailed scope document with all authorized IP addresses and services. Have the client sign it before starting.
3. Prepare an audit log: use a tool like Burp Suite with active logging or a simple bash script that records every command with a timestamp.
4. Get a professional liability insurance policy specifically for penetration testing (many general policies do not cover authorized hacking).
5. Read the related article on how technology is never neutral (link) – ethics is also part of the legal framework.