name: Pentest Checklist description: This skill should be used when the user asks to "plan a penetration test", "create a security assessment checklist", "prepare for penetration testing", "define pentest scope", "follow security testing best practices", or needs a structured methodology for penetration testing engagements.

Pentest Checklist

Purpose

Provide a comprehensive checklist for planning, executing, and following up on penetration tests. Ensure thorough preparation, proper scoping, and effective remediation of discovered vulnerabilities.

Inputs/Prerequisites

• Clear business objectives for testing
• Target environment information
• Budget and timeline constraints
• Stakeholder contacts and authorization
• Legal agreements and scope documents

Outputs/Deliverables

• Defined pentest scope and objectives
• Prepared testing environment
• Security monitoring data
• Vulnerability findings report
• Remediation plan and verification

Core Workflow

Phase 1: Scope Definition

Define Objectives

• Clarify testing purpose - Determine goals (find vulnerabilities, compliance, customer assurance)
• Validate pentest necessity - Ensure penetration test is the right solution
• Align outcomes with objectives - Define success criteria

Reference Questions:

• Why are you doing this pentest?
• What specific outcomes do you expect?
• What will you do with the findings?

Know Your Test Types

Enumerate Likely Threats

• Identify high-risk areas - Where could damage occur?
• Assess data sensitivity - What data could be compromised?
• Review legacy systems - Old systems often have vulnerabilities
• Map critical assets - Prioritize testing targets

Define Scope

• List in-scope systems - IPs, domains, applications
• Define out-of-scope items - Systems to avoid
• Set testing boundaries - What techniques are allowed?
• Document exclusions - Third-party systems, production data

Budget Planning

Budget Reality Check:

• Cheap pentests often produce poor results
• Align budget with asset criticality
• Consider ongoing vs. one-time testing

Phase 2: Environment Preparation

Prepare Test Environment

• Production vs. staging decision - Determine where to test
• Set testing limits - No DoS on production
• Schedule testing window - Minimize business impact
• Create test accounts - Provide appropriate access levels

Environment Options:

Production  - Realistic but risky
Staging     - Safer but may differ from production
Clone       - Ideal but resource-intensive

Run Preliminary Scans

• Execute vulnerability scanners - Find known issues first
• Fix obvious vulnerabilities - Don't waste pentest time
• Document existing issues - Share with testers

Common Pre-Scan Tools:

# Network vulnerability scan
nmap -sV --script vuln TARGET

# Web vulnerability scan
nikto -h http://TARGET

Review Security Policy

• Verify compliance requirements - GDPR, PCI-DSS, HIPAA
• Document data handling rules - Sensitive data procedures
• Confirm legal authorization - Get written permission

Notify Hosting Provider

• Check provider policies - What testing is allowed?
• Submit authorization requests - AWS, Azure, GCP requirements
• Document approvals - Keep records

Cloud Provider Policies:

• AWS: https://aws.amazon.com/security/penetration-testing/
• Azure: https://docs.microsoft.com/security/pentest
• GCP: https://cloud.google.com/security/overview

Freeze Developments

• Stop deployments during testing - Maintain consistent environment
• Document current versions - Record system states
• Avoid critical patches - Unless security emergency

Phase 3: Expertise Selection

Find Qualified Pentesters

• Seek recommendations - Ask trusted sources
• Verify credentials - OSCP, GPEN, CEH, CREST
• Check references - Talk to previous clients
• Match expertise to scope - Web, network, mobile specialists

Evaluation Criteria:

Define Methodology

• Select testing standard - PTES, OWASP, NIST
• Determine access level - Black box, gray box, white box
• Agree on techniques - Manual vs. automated testing
• Set communication schedule - Updates and escalation

Testing Approaches:

Define Report Format

• Review sample reports - Ensure quality meets needs
• Specify required sections - Executive summary, technical details
• Request machine-readable output - CSV, XML for tracking
• Agree on risk ratings - CVSS, custom scale

Report Should Include:

• Executive summary for management
• Technical findings with evidence
• Risk ratings and prioritization
• Remediation recommendations
• Retesting guidance

Phase 4: Monitoring

Implement Security Monitoring

• Deploy IDS/IPS - Intrusion detection systems
• Enable logging - Comprehensive audit trails
• Configure SIEM - Centralized log analysis
• Set up alerting - Real-time notifications

Monitoring Tools:

# Check security logs
tail -f /var/log/auth.log
tail -f /var/log/apache2/access.log

# Monitor network
tcpdump -i eth0 -w capture.pcap

Configure Logging

• Centralize logs - Aggregate from all systems
• Set retention periods - Keep logs for analysis
• Enable detailed logging - Application and system level
• Test log collection - Verify all sources working

Key Logs to Monitor:

• Authentication events
• Application errors
• Network connections
• File access
• System changes

Monitor Exception Tools

• Track error rates - Unusual spikes indicate testing
• Brief operations team - Distinguish testing from attacks
• Document baseline - Normal vs. pentest activity

Watch Security Tools

• Review IDS alerts - Separate pentest from real attacks
• Monitor WAF logs - Track blocked attempts
• Check endpoint protection - Antivirus detections

Phase 5: Remediation

Ensure Backups

• Verify backup integrity - Test restoration
• Document recovery procedures - Know how to restore
• Separate backup access - Protect from testing

Reserve Remediation Time

• Allocate team availability - Post-pentest analysis
• Schedule fix implementation - Address findings
• Plan verification testing - Confirm fixes work

Patch During Testing Policy

• Generally avoid patching - Maintain consistent environment
• Exception for critical issues - Security emergencies only
• Communicate changes - Inform pentesters of any changes

Cleanup Procedure

• Remove test artifacts - Backdoors, scripts, files
• Delete test accounts - Remove pentester access
• Restore configurations - Return to original state
• Verify cleanup complete - Audit all changes

Schedule Next Pentest

• Determine frequency - Annual, quarterly, after changes
• Consider continuous testing - Bug bounty, ongoing assessments
• Budget for future tests - Plan ahead

Testing Frequency Factors:

• Release frequency
• Regulatory requirements
• Risk tolerance
• Past findings severity

Quick Reference

Pre-Pentest Checklist

□ Scope defined and documented
□ Authorization obtained
□ Environment prepared
□ Hosting provider notified
□ Team briefed
□ Monitoring enabled
□ Backups verified

Post-Pentest Checklist

□ Report received and reviewed
□ Findings prioritized
□ Remediation assigned
□ Fixes implemented
□ Verification testing scheduled
□ Environment cleaned up
□ Next test scheduled

Constraints

• Production testing carries inherent risks
• Budget limitations affect thoroughness
• Time constraints may limit coverage
• Tester expertise varies significantly
• Findings become stale quickly

Examples

Example 1: Quick Scope Definition

**Target:** Corporate web application (app.company.com)
**Type:** Gray box web application pentest
**Duration:** 5 business days
**Excluded:** DoS testing, production database access
**Access:** Standard user account provided

Example 2: Monitoring Setup

# Enable comprehensive logging
sudo systemctl restart rsyslog
sudo systemctl restart auditd

# Start packet capture
tcpdump -i eth0 -w /tmp/pentest_capture.pcap &

Troubleshooting