Claude Skill

Pentest Checklist

This skill should be used when the user asks to "plan a penetration test", "create a security assessment checklist", "prepare for penetration testing", "define pentest scope", "follow security testing best practices", or needs a structured methodology for penetration testing engagements.

Editor's Note

This skill should be used when the user asks to "plan a penetration test", "create a security assessment checklist", "prepare for penetration testing", "define pentest scope", "follow security testing best practices", or needs a structured methodology for... Covers purpose, inputs/prerequisites, outputs/deliverables.

Page Outline

PurposeInputs/PrerequisitesOutputs/DeliverablesCore WorkflowQuick ReferenceConstraintsExamplesTroubleshooting

Source Content

Normalized top-level metadata comes from the directory layer. The body below is the upstream source content for this item.

Pentest Checklist

Purpose

Provide a comprehensive checklist for planning, executing, and following up on penetration tests. Ensure thorough preparation, proper scoping, and effective remediation of discovered vulnerabilities.

Inputs/Prerequisites

  • Clear business objectives for testing
  • Target environment information
  • Budget and timeline constraints
  • Stakeholder contacts and authorization
  • Legal agreements and scope documents

Outputs/Deliverables

  • Defined pentest scope and objectives
  • Prepared testing environment
  • Security monitoring data
  • Vulnerability findings report
  • Remediation plan and verification

Core Workflow

Phase 1: Scope Definition

#### Define Objectives

  • [ ] **Clarify testing purpose** - Determine goals (find vulnerabilities, compliance, customer assurance)
  • [ ] **Validate pentest necessity** - Ensure penetration test is the right solution
  • [ ] **Align outcomes with objectives** - Define success criteria

**Reference Questions:**

  • Why are you doing this pentest?
  • What specific outcomes do you expect?
  • What will you do with the findings?

#### Know Your Test Types

| Type | Purpose | Scope | |------|---------|-------| | External Pentest | Assess external attack surface | Public-facing systems | | Internal Pentest | Assess insider threat risk | Internal network | | Web Application | Find application vulnerabilities | Specific applications | | Social Engineering | Test human security | Employees, processes | | Red Team | Full adversary simulation | Entire organization |

#### Enumerate Likely Threats

  • [ ] **Identify high-risk areas** - Where could damage occur?
  • [ ] **Assess data sensitivity** - What data could be compromised?
  • [ ] **Review legacy systems** - Old systems often have vulnerabilities
  • [ ] **Map critical assets** - Prioritize testing targets

#### Define Scope

  • [ ] **List in-scope systems** - IPs, domains, applications
  • [ ] **Define out-of-scope items** - Systems to avoid
  • [ ] **Set testing boundaries** - What techniques are allowed?
  • [ ] **Document exclusions** - Third-party systems, production data

#### Budget Planning

| Factor | Consideration | |--------|---------------| | Asset Value | Higher value = higher investment | | Complexity | More systems = more time | | Depth Required | Thorough testing costs more | | Reputation Value | Brand-name firms cost more |

**Budget Reality Check:**

  • Cheap pentests often produce poor results
  • Align budget with asset criticality
  • Consider ongoing vs. one-time testing

Phase 2: Environment Preparation

#### Prepare Test Environment

  • [ ] **Production vs. staging decision** - Determine where to test
  • [ ] **Set testing limits** - No DoS on production
  • [ ] **Schedule testing window** - Minimize business impact
  • [ ] **Create test accounts** - Provide appropriate access levels

**Environment Options:**

Production  - Realistic but risky
Staging     - Safer but may differ from production
Clone       - Ideal but resource-intensive

#### Run Preliminary Scans

  • [ ] **Execute vulnerability scanners** - Find known issues first
  • [ ] **Fix obvious vulnerabilities** - Don't waste pentest time
  • [ ] **Document existing issues** - Share with testers

**Common Pre-Scan Tools:**

# Network vulnerability scan
nmap -sV --script vuln TARGET

# Web vulnerability scan
nikto -h http://TARGET

#### Review Security Policy

  • [ ] **Verify compliance requirements** - GDPR, PCI-DSS, HIPAA
  • [ ] **Document data handling rules** - Sensitive data procedures
  • [ ] **Confirm legal authorization** - Get written permission

#### Notify Hosting Provider

  • [ ] **Check provider policies** - What testing is allowed?
  • [ ] **Submit authorization requests** - AWS, Azure, GCP requirements
  • [ ] **Document approvals** - Keep records

**Cloud Provider Policies:**

  • AWS: https://aws.amazon.com/security/penetration-testing/
  • Azure: https://docs.microsoft.com/security/pentest
  • GCP: https://cloud.google.com/security/overview

#### Freeze Developments

  • [ ] **Stop deployments during testing** - Maintain consistent environment
  • [ ] **Document current versions** - Record system states
  • [ ] **Avoid critical patches** - Unless security emergency

Phase 3: Expertise Selection

#### Find Qualified Pentesters

  • [ ] **Seek recommendations** - Ask trusted sources
  • [ ] **Verify credentials** - OSCP, GPEN, CEH, CREST
  • [ ] **Check references** - Talk to previous clients
  • [ ] **Match expertise to scope** - Web, network, mobile specialists

**Evaluation Criteria:**

| Factor | Questions to Ask | |--------|------------------| | Experience | Years in field, similar projects | | Methodology | OWASP, PTES, custom approach | | Reporting | Sample reports, detail level | | Communication | Availability, update frequency |

#### Define Methodology

  • [ ] **Select testing standard** - PTES, OWASP, NIST
  • [ ] **Determine access level** - Black box, gray box, white box
  • [ ] **Agree on techniques** - Manual vs. automated testing
  • [ ] **Set communication schedule** - Updates and escalation

**Testing Approaches:**

| Type | Access Level | Simulates | |------|-------------|-----------| | Black Box | No information | External attacker | | Gray Box | Partial access | Insider with limited access | | White Box | Full access | Insider/detailed audit |

#### Define Report Format

  • [ ] **Review sample reports** - Ensure quality meets needs
  • [ ] **Specify required sections** - Executive summary, technical details
  • [ ] **Request machine-readable output** - CSV, XML for tracking
  • [ ] **Agree on risk ratings** - CVSS, custom scale

**Report Should Include:**

  • Executive summary for management
  • Technical findings with evidence
  • Risk ratings and prioritization
  • Remediation recommendations
  • Retesting guidance

Phase 4: Monitoring

#### Implement Security Monitoring

  • [ ] **Deploy IDS/IPS** - Intrusion detection systems
  • [ ] **Enable logging** - Comprehensive audit trails
  • [ ] **Configure SIEM** - Centralized log analysis
  • [ ] **Set up alerting** - Real-time notifications

**Monitoring Tools:**

# Check security logs
tail -f /var/log/auth.log
tail -f /var/log/apache2/access.log

# Monitor network
tcpdump -i eth0 -w capture.pcap

#### Configure Logging

  • [ ] **Centralize logs** - Aggregate from all systems
  • [ ] **Set retention periods** - Keep logs for analysis
  • [ ] **Enable detailed logging** - Application and system level
  • [ ] **Test log collection** - Verify all sources working

**Key Logs to Monitor:**

  • Authentication events
  • Application errors
  • Network connections
  • File access
  • System changes

#### Monitor Exception Tools

  • [ ] **Track error rates** - Unusual spikes indicate testing
  • [ ] **Brief operations team** - Distinguish testing from attacks
  • [ ] **Document baseline** - Normal vs. pentest activity

#### Watch Security Tools

  • [ ] **Review IDS alerts** - Separate pentest from real attacks
  • [ ] **Monitor WAF logs** - Track blocked attempts
  • [ ] **Check endpoint protection** - Antivirus detections

Phase 5: Remediation

#### Ensure Backups

  • [ ] **Verify backup integrity** - Test restoration
  • [ ] **Document recovery procedures** - Know how to restore
  • [ ] **Separate backup access** - Protect from testing

#### Reserve Remediation Time

  • [ ] **Allocate team availability** - Post-pentest analysis
  • [ ] **Schedule fix implementation** - Address findings
  • [ ] **Plan verification testing** - Confirm fixes work

#### Patch During Testing Policy

  • [ ] **Generally avoid patching** - Maintain consistent environment
  • [ ] **Exception for critical issues** - Security emergencies only
  • [ ] **Communicate changes** - Inform pentesters of any changes

#### Cleanup Procedure

  • [ ] **Remove test artifacts** - Backdoors, scripts, files
  • [ ] **Delete test accounts** - Remove pentester access
  • [ ] **Restore configurations** - Return to original state
  • [ ] **Verify cleanup complete** - Audit all changes

#### Schedule Next Pentest

  • [ ] **Determine frequency** - Annual, quarterly, after changes
  • [ ] **Consider continuous testing** - Bug bounty, ongoing assessments
  • [ ] **Budget for future tests** - Plan ahead

**Testing Frequency Factors:**

  • Release frequency
  • Regulatory requirements
  • Risk tolerance
  • Past findings severity

Quick Reference

Pre-Pentest Checklist

□ Scope defined and documented
□ Authorization obtained
□ Environment prepared
□ Hosting provider notified
□ Team briefed
□ Monitoring enabled
□ Backups verified

Post-Pentest Checklist

□ Report received and reviewed
□ Findings prioritized
□ Remediation assigned
□ Fixes implemented
□ Verification testing scheduled
□ Environment cleaned up
□ Next test scheduled

Constraints

  • Production testing carries inherent risks
  • Budget limitations affect thoroughness
  • Time constraints may limit coverage
  • Tester expertise varies significantly
  • Findings become stale quickly

Examples

Example 1: Quick Scope Definition

**Target:** Corporate web application (app.company.com)
**Type:** Gray box web application pentest
**Duration:** 5 business days
**Excluded:** DoS testing, production database access
**Access:** Standard user account provided

Example 2: Monitoring Setup

# Enable comprehensive logging
sudo systemctl restart rsyslog
sudo systemctl restart auditd

# Start packet capture
tcpdump -i eth0 -w /tmp/pentest_capture.pcap &

Troubleshooting

| Issue | Solution | |-------|----------| | Scope creep | Document and require change approval | | Testing impacts production | Schedule off-hours, use staging | | Findings disputed | Provide detailed evidence, retest | | Remediation delayed | Prioritize by risk, set deadlines | | Budget exceeded | Define clear scope, fixed-price contracts |

Related Items

Deploy agents, MCP servers, and backends fast logo

Railway - Deploy agents and MCP servers fast

Try Railway