Pentest Checklist

Purpose

Provide a comprehensive checklist for planning, executing, and following up on penetration tests. Ensure thorough preparation, proper scoping, and effective remediation of discovered vulnerabilities.

Inputs/Prerequisites

Clear business objectives for testing

Target environment information

Budget and timeline constraints

Stakeholder contacts and authorization

Legal agreements and scope documents

Outputs/Deliverables

Defined pentest scope and objectives

Prepared testing environment

Security monitoring data

Vulnerability findings report

Remediation plan and verification

Core Workflow

Phase 1: Scope Definition

Define Objectives

[ ] Clarify testing purpose - Determine goals (find vulnerabilities, compliance, customer assurance)

[ ] Validate pentest necessity - Ensure penetration test is the right solution

[ ] Align outcomes with objectives - Define success criteria

Reference Questions:

Why are you doing this pentest?

What specific outcomes do you expect?

What will you do with the findings?

Know Your Test Types

Type	Purpose	Scope
External Pentest	Assess external attack surface	Public-facing systems
Internal Pentest	Assess insider threat risk	Internal network
Web Application	Find application vulnerabilities	Specific applications
Social Engineering	Test human security	Employees, processes
Red Team	Full adversary simulation	Entire organization

Enumerate Likely Threats

[ ] Identify high-risk areas - Where could damage occur?

[ ] Assess data sensitivity - What data could be compromised?

[ ] Review legacy systems - Old systems often have vulnerabilities

[ ] Map critical assets - Prioritize testing targets

Define Scope

[ ] List in-scope systems - IPs, domains, applications

[ ] Define out-of-scope items - Systems to avoid

[ ] Set testing boundaries - What techniques are allowed?

[ ] Document exclusions - Third-party systems, production data

Budget Planning

Factor	Consideration
Asset Value	Higher value = higher investment
Complexity	More systems = more time
Depth Required	Thorough testing costs more
Reputation Value	Brand-name firms cost more

Budget Reality Check:

Cheap pentests often produce poor results

Align budget with asset criticality

Consider ongoing vs. one-time testing

Phase 2: Environment Preparation

Prepare Test Environment

[ ] Production vs. staging decision - Determine where to test

[ ] Set testing limits - No DoS on production

[ ] Schedule testing window - Minimize business impact

[ ] Create test accounts - Provide appropriate access levels

Environment Options:

Production  - Realistic but risky
Staging     - Safer but may differ from production
Clone       - Ideal but resource-intensive

Run Preliminary Scans

[ ] Execute vulnerability scanners - Find known issues first

[ ] Fix obvious vulnerabilities - Don't waste pentest time

[ ] Document existing issues - Share with testers

Common Pre-Scan Tools:

# Network vulnerability scan
nmap -sV --script vuln TARGET
Web vulnerability scan

nikto -h http://TARGET

Review Security Policy

[ ] Verify compliance requirements - GDPR, PCI-DSS, HIPAA

[ ] Document data handling rules - Sensitive data procedures

[ ] Confirm legal authorization - Get written permission

Notify Hosting Provider

[ ] Check provider policies - What testing is allowed?

[ ] Submit authorization requests - AWS, Azure, GCP requirements

[ ] Document approvals - Keep records

Cloud Provider Policies:

AWS: https://aws.amazon.com/security/penetration-testing/

Azure: https://docs.microsoft.com/security/pentest

GCP: https://cloud.google.com/security/overview

Freeze Developments

[ ] Stop deployments during testing - Maintain consistent environment

[ ] Document current versions - Record system states

[ ] Avoid critical patches - Unless security emergency

Phase 3: Expertise Selection

Find Qualified Pentesters

[ ] Seek recommendations - Ask trusted sources

[ ] Verify credentials - OSCP, GPEN, CEH, CREST

[ ] Check references - Talk to previous clients

[ ] Match expertise to scope - Web, network, mobile specialists

Evaluation Criteria:

Factor	Questions to Ask
Experience	Years in field, similar projects
Methodology	OWASP, PTES, custom approach
Reporting	Sample reports, detail level
Communication	Availability, update frequency

Define Methodology

[ ] Select testing standard - PTES, OWASP, NIST

[ ] Determine access level - Black box, gray box, white box

[ ] Agree on techniques - Manual vs. automated testing

[ ] Set communication schedule - Updates and escalation

Testing Approaches:

Type	Access Level	Simulates
Black Box	No information	External attacker
Gray Box	Partial access	Insider with limited access
White Box	Full access	Insider/detailed audit

Define Report Format

[ ] Review sample reports - Ensure quality meets needs

[ ] Specify required sections - Executive summary, technical details

[ ] Request machine-readable output - CSV, XML for tracking

[ ] Agree on risk ratings - CVSS, custom scale

Report Should Include:

Executive summary for management

Technical findings with evidence

Risk ratings and prioritization

Remediation recommendations

Retesting guidance

Phase 4: Monitoring

Implement Security Monitoring

[ ] Deploy IDS/IPS - Intrusion detection systems

[ ] Enable logging - Comprehensive audit trails

[ ] Configure SIEM - Centralized log analysis

[ ] Set up alerting - Real-time notifications

Monitoring Tools:

# Check security logs
tail -f /var/log/auth.log
tail -f /var/log/apache2/access.log
Monitor network

tcpdump -i eth0 -w capture.pcap

Configure Logging

[ ] Centralize logs - Aggregate from all systems

[ ] Set retention periods - Keep logs for analysis

[ ] Enable detailed logging - Application and system level

[ ] Test log collection - Verify all sources working

Key Logs to Monitor:

Authentication events

Application errors

Network connections

File access

System changes

Monitor Exception Tools

[ ] Track error rates - Unusual spikes indicate testing

[ ] Brief operations team - Distinguish testing from attacks

[ ] Document baseline - Normal vs. pentest activity

Watch Security Tools

[ ] Review IDS alerts - Separate pentest from real attacks

[ ] Monitor WAF logs - Track blocked attempts

[ ] Check endpoint protection - Antivirus detections

Phase 5: Remediation

Ensure Backups

[ ] Verify backup integrity - Test restoration

[ ] Document recovery procedures - Know how to restore

[ ] Separate backup access - Protect from testing

Reserve Remediation Time

[ ] Allocate team availability - Post-pentest analysis

[ ] Schedule fix implementation - Address findings

[ ] Plan verification testing - Confirm fixes work

Patch During Testing Policy

[ ] Generally avoid patching - Maintain consistent environment

[ ] Exception for critical issues - Security emergencies only

[ ] Communicate changes - Inform pentesters of any changes

Cleanup Procedure

[ ] Remove test artifacts - Backdoors, scripts, files

[ ] Delete test accounts - Remove pentester access

[ ] Restore configurations - Return to original state

[ ] Verify cleanup complete - Audit all changes

Schedule Next Pentest

[ ] Determine frequency - Annual, quarterly, after changes

[ ] Consider continuous testing - Bug bounty, ongoing assessments

[ ] Budget for future tests - Plan ahead

Testing Frequency Factors:

Release frequency

Regulatory requirements

Risk tolerance

Past findings severity

Quick Reference

Pre-Pentest Checklist

□ Scope defined and documented
□ Authorization obtained
□ Environment prepared
□ Hosting provider notified
□ Team briefed
□ Monitoring enabled
□ Backups verified

Post-Pentest Checklist

□ Report received and reviewed
□ Findings prioritized
□ Remediation assigned
□ Fixes implemented
□ Verification testing scheduled
□ Environment cleaned up
□ Next test scheduled

Constraints

Production testing carries inherent risks

Budget limitations affect thoroughness

Time constraints may limit coverage

Tester expertise varies significantly

Findings become stale quickly

Examples

Example 1: Quick Scope Definition

Target: Corporate web application (app.company.com)
Type: Gray box web application pentest
Duration: 5 business days
Excluded: DoS testing, production database access
Access: Standard user account provided

Example 2: Monitoring Setup

# Enable comprehensive logging
sudo systemctl restart rsyslog
sudo systemctl restart auditd
Start packet capture

tcpdump -i eth0 -w /tmp/pentest_capture.pcap &

Troubleshooting

Issue	Solution
Scope creep	Document and require change approval
Testing impacts production	Schedule off-hours, use staging
Findings disputed	Provide detailed evidence, retest
Remediation delayed	Prioritize by risk, set deadlines
Budget exceeded	Define clear scope, fixed-price contracts