What is ethical?

While not legally binding, ethical guidelines can be a bellwether for where laws and regulations are heading and, at the very least, a higher bar than most government entities. What they lack in legal language, they than make up for in plain terms that typically steer us away from any legally questionable areas that may arise. The EC-Council and GIAC/SANS both publish a Code of Ethics (https://www.eccouncil.org/code-of-ethics/ and https://www.giac.org/about/ethics), as do many other industry institutions and certifying authorities. Some commercial tool vendors or providers also have expectations for proper use and frown upon nefarious activities using their toolsets. By enrolling as a member or holding their certifications, you are expected to uphold their standards.  

In the natural evolution of a pen testing practice, it is likely that issues will be encountered as projects are discussed or completed, which maybe ambiguous within the established standard operating procedures, code of ethics, or law. In these cases, it is best to step back and assess the potential short- and long-term harm or benefits that may arise with each of the options available. Having agreed to a set of legal and ethical boundaries can be an asset here - sometimes the best approach is to avoid ethical or legal gray areas altogether and stick with processes and actions that are firmly justified.