Pentest Checklist

Pentest Checklist

Purpose

Provide a comprehensive checklist for planning, executing, and following up on penetration tests. Ensure thorough preparation, proper scoping, and effective remediation of discovered vulnerabilities.

Inputs/Prerequisites

• Clear business objectives for testing
• Target environment information
• Budget and timeline constraints
• Stakeholder contacts and authorization
• Legal agreements and scope documents

Outputs/Deliverables

• Defined pentest scope and objectives
• Prepared testing environment
• Security monitoring data
• Vulnerability findings report
• Remediation plan and verification

Core Workflow

Phase 1: Scope Definition

#### Define Objectives

• [ ] **Clarify testing purpose** - Determine goals (find vulnerabilities, compliance, customer assurance)
• [ ] **Validate pentest necessity** - Ensure penetration test is the right solution
• [ ] **Align outcomes with objectives** - Define success criteria

**Reference Questions:**

• Why are you doing this pentest?
• What specific outcomes do you expect?
• What will you do with the findings?

#### Know Your Test Types

| Type | Purpose | Scope | |------|---------|-------| | External Pentest | Assess external attack surface | Public-facing systems | | Internal Pentest | Assess insider threat risk | Internal network | | Web Application | Find application vulnerabilities | Specific applications | | Social Engineering | Test human security | Employees, processes | | Red Team | Full adversary simulation | Entire organization |

#### Enumerate Likely Threats

• [ ] **Identify high-risk areas** - Where could damage occur?
• [ ] **Assess data sensitivity** - What data could be compromised?
• [ ] **Review legacy systems** - Old systems often have vulnerabilities
• [ ] **Map critical assets** - Prioritize testing targets

#### Define Scope

• [ ] **List in-scope systems** - IPs, domains, applications
• [ ] **Define out-of-scope items** - Systems to avoid
• [ ] **Set testing boundaries** - What techniques are allowed?
• [ ] **Document exclusions** - Third-party systems, production data

#### Budget Planning

| Factor | Consideration | |--------|---------------| | Asset Value | Higher value = higher investment | | Complexity | More systems = more time | | Depth Required | Thorough testing costs more | | Reputation Value | Brand-name firms cost more |

**Budget Reality Check:**

• Cheap pentests often produce poor results
• Align budget with asset criticality
• Consider ongoing vs. one-time testing

Phase 2: Environment Preparation

#### Prepare Test Environment

• [ ] **Production vs. staging decision** - Determine where to test
• [ ] **Set testing limits** - No DoS on production
• [ ] **Schedule testing window** - Minimize business impact
• [ ] **Create test accounts** - Provide appropriate access levels

**Environment Options:**

Production  - Realistic but risky
Staging     - Safer but may differ from production
Clone       - Ideal but resource-intensive

#### Run Preliminary Scans

• [ ] **Execute vulnerability scanners** - Find known issues first
• [ ] **Fix obvious vulnerabilities** - Don't waste pentest time
• [ ] **Document existing issues** - Share with testers

**Common Pre-Scan Tools:**

# Network vulnerability scan
nmap -sV --script vuln TARGET

# Web vulnerability scan
nikto -h http://TARGET

#### Review Security Policy

• [ ] **Verify compliance requirements** - GDPR, PCI-DSS, HIPAA
• [ ] **Document data handling rules** - Sensitive data procedures
• [ ] **Confirm legal authorization** - Get written permission

#### Notify Hosting P

<!-- truncated -->