Pentest Checklist
Purpose
Provide a comprehensive checklist for planning, executing, and following up on penetration tests. Ensure thorough preparation, proper scoping, and effective remediation of discovered vulnerabilities.
Inputs/Prerequisites
- •Clear business objectives for testing
- •Target environment information
- •Budget and timeline constraints
- •Stakeholder contacts and authorization
- •Legal agreements and scope documents
Outputs/Deliverables
- •Defined pentest scope and objectives
- •Prepared testing environment
- •Security monitoring data
- •Vulnerability findings report
- •Remediation plan and verification
Core Workflow
Phase 1: Scope Definition
Define Objectives
- • Clarify testing purpose - Determine goals (find vulnerabilities, compliance, customer assurance)
- • Validate pentest necessity - Ensure penetration test is the right solution
- • Align outcomes with objectives - Define success criteria
Reference Questions:
- •Why are you doing this pentest?
- •What specific outcomes do you expect?
- •What will you do with the findings?
Know Your Test Types
| Type | Purpose | Scope |
|---|---|---|
| External Pentest | Assess external attack surface | Public-facing systems |
| Internal Pentest | Assess insider threat risk | Internal network |
| Web Application | Find application vulnerabilities | Specific applications |
| Social Engineering | Test human security | Employees, processes |
| Red Team | Full adversary simulation | Entire organization |
Enumerate Likely Threats
- • Identify high-risk areas - Where could damage occur?
- • Assess data sensitivity - What data could be compromised?
- • Review legacy systems - Old systems often have vulnerabilities
- • Map critical assets - Prioritize testing targets
Define Scope
- • List in-scope systems - IPs, domains, applications
- • Define out-of-scope items - Systems to avoid
- • Set testing boundaries - What techniques are allowed?
- • Document exclusions - Third-party systems, production data
Budget Planning
| Factor | Consideration |
|---|---|
| Asset Value | Higher value = higher investment |
| Complexity | More systems = more time |
| Depth Required | Thorough testing costs more |
| Reputation Value | Brand-name firms cost more |
Budget Reality Check:
- •Cheap pentests often produce poor results
- •Align budget with asset criticality
- •Consider ongoing vs. one-time testing
Phase 2: Environment Preparation
Prepare Test Environment
- • Production vs. staging decision - Determine where to test
- • Set testing limits - No DoS on production
- • Schedule testing window - Minimize business impact
- • Create test accounts - Provide appropriate access levels
Environment Options:
code
Production - Realistic but risky Staging - Safer but may differ from production Clone - Ideal but resource-intensive
Run Preliminary Scans
- • Execute vulnerability scanners - Find known issues first
- • Fix obvious vulnerabilities - Don't waste pentest time
- • Document existing issues - Share with testers
Common Pre-Scan Tools:
bash
# Network vulnerability scan nmap -sV --script vuln TARGET # Web vulnerability scan nikto -h http://TARGET
Review Security Policy
- • Verify compliance requirements - GDPR, PCI-DSS, HIPAA
- • Document data handling rules - Sensitive data procedures
- • Confirm legal authorization - Get written permission
Notify Hosting Provider
- • Check provider policies - What testing is allowed?
- • Submit authorization requests - AWS, Azure, GCP requirements
- • Document approvals - Keep records
Cloud Provider Policies:
- •AWS: https://aws.amazon.com/security/penetration-testing/
- •Azure: https://docs.microsoft.com/security/pentest
- •GCP: https://cloud.google.com/security/overview
Freeze Developments
- • Stop deployments during testing - Maintain consistent environment
- • Document current versions - Record system states
- • Avoid critical patches - Unless security emergency
Phase 3: Expertise Selection
Find Qualified Pentesters
- • Seek recommendations - Ask trusted sources
- • Verify credentials - OSCP, GPEN, CEH, CREST
- • Check references - Talk to previous clients
- • Match expertise to scope - Web, network, mobile specialists
Evaluation Criteria:
| Factor | Questions to Ask |
|---|---|
| Experience | Years in field, similar projects |
| Methodology | OWASP, PTES, custom approach |
| Reporting | Sample reports, detail level |
| Communication | Availability, update frequency |
Define Methodology
- • Select testing standard - PTES, OWASP, NIST
- • Determine access level - Black box, gray box, white box
- • Agree on techniques - Manual vs. automated t