External Pentesting Runbook (Headless)
Scope And Safety
- •Only test targets you are explicitly authorized to test.
- •Prefer read-only enumeration first; escalate to intrusive checks only when requested.
- •Keep a command log: write every executed command and key outputs to
/pentest/reports/command-log.md.
Output Convention
- •Recon artifacts:
/pentest/recon/ - •Scan outputs:
/pentest/scans/ - •Exploits/PoCs:
/pentest/exploits/ - •Final report:
/pentest/reports/
Workflow
- •Clarify scope: domains/IP ranges, exclusions, time budget, and allowed intensity.
- •Recon:
- •Subdomains:
subfinder(and/oramass) into/pentest/recon/subdomains.txt - •Live hosts:
httpxinto/pentest/recon/live-http.txt - •Ports:
naabuornmapinto/pentest/recon/ports.txt
- •Subdomains:
- •Scanning:
- •Template scanning:
nucleiagainst live targets into/pentest/scans/nuclei-*.txt - •Web content discovery:
ffuf/feroxbuster/dirsearchas needed
- •Template scanning:
- •Triage:
- •Collect evidence (request/response, versions, configs).
- •Prioritize by exploitability and blast radius.
- •Report:
- •Summarize findings with repro steps and remediation.
Notes
- •Use
jq/yqfor parsing JSON/YAML outputs. - •If Kubernetes context is involved, use the
kubernetesMCP server andkubectlfor read-only inventory unless explicitly asked to modify resources.