Penetration Testing
Skill Purpose: Plan and execute authorized penetration testing to identify exploitable security weaknesses.
Core Skill Pattern
Objective: Validate security posture through controlled, authorized testing.
Universal Pattern:
- •Confirm legal authorization and scope
- •Identify assets and attack surface
- •Perform recon and threat modeling
- •Execute tests aligned to OWASP
- •Document findings with severity and remediation
Key Decisions (Project-Specific):
- •Testing in staging vs production
- •Tooling and manual testing balance
- •Severity scoring model
- •Disclosure and remediation workflow
Project-Specific Implementation Notes
Customize per project:
- •Define explicit in-scope systems and accounts
- •Use test credentials only
- •Coordinate with incident response team
Example Test Areas
- •Authentication and session management
- •Authorization and RLS bypass attempts
- •Injection (SQL/NoSQL), XSS, CSRF
- •File upload validation
- •Secrets exposure and misconfigurations
Best Practices
- •Obtain written authorization before testing
- •Test in staging first whenever possible
- •Keep detailed evidence for each finding
- •Provide clear remediation steps
- •Retest to confirm fixes
Stop Conditions
STOP and escalate if:
- •Authorization is unclear or missing
- •Scope is not defined
- •Testing could impact production stability
Skill Version: 1.0.0