Penetration testing must be conducted with proper authorisation and within legal boundaries. This involves obtaining written consent from the organisation being tested, defining the scope and limitations of the test, and ensuring compliance with relevant laws and regulations to avoid legal repercussions.