Pentest Checklist

Purpose

Provide a comprehensive checklist for planning, executing, and following up on penetration tests. Ensure thorough preparation, proper scoping, and effective remediation of discovered vulnerabilities.

Inputs/Prerequisites

●Clear business objectives for testing

●Target environment information

●Budget and timeline constraints

●Stakeholder contacts and authorization

●Legal agreements and scope documents

Outputs/Deliverables

●Defined pentest scope and objectives

●Prepared testing environment

●Security monitoring data

●Vulnerability findings report

●Remediation plan and verification

Core Workflow

Phase 1: Scope Definition

#### Define Objectives

●[ ] Clarify testing purpose - Determine goals (find vulnerabilities, compliance, customer assurance)

●[ ] Validate pentest necessity - Ensure penetration test is the right solution

●[ ] Align outcomes with objectives - Define success criteria

Reference Questions:

●Why are you doing this pentest?

●What specific outcomes do you expect?

●What will you do with the findings?

#### Know Your Test Types

| Type | Purpose | Scope |

|------|---------|-------|

| External Pentest | Assess external attack surface | Public-facing systems |

| Internal Pentest | Assess insider threat risk | Internal network |

| Web Application | Find application vulnerabilities | Specific applications |

| Social Engineering | Test human security | Employees, processes |

| Red Team | Full adversary simulation | Entire organization |

#### Enumerate Likely Threats

●[ ] Identify high-risk areas - Where could damage occur?

●[ ] Assess data sensitivity - What data could be compromised?

●[ ] Review legacy systems - Old systems often have vulnerabilities

●[ ] Map critical assets - Prioritize testing targets

#### Define Scope

●[ ] List in-scope systems - IPs, domains, applications

●[ ] Define out-of-scope items - Systems to avoid

●[ ] Set testing boundaries - What techniques are allowed?

●[ ] Document exclusions - Third-party systems, production data

#### Budget Planning

| Factor | Consideration |

|--------|---------------|

| Asset Value | Higher value = higher investment |

| Complexity | More systems = more time |

| Depth Required | Thorough testing costs more |

| Reputation Value | Brand-name firms cost more |

Budget Reality Check:

●Cheap pentests often produce poor results

●Align budget with asset criticality

●Consider ongoing vs. one-time testing

Phase 2: Environment Preparation

#### Prepare Test Environment

●[ ] Production vs. staging decision - Determine where to test

●[ ] Set testing limits - No DoS on production

●[ ] Schedule testing window - Minimize business impact

●[ ] Create test accounts - Provide appropriate access levels

Environment Options:

Production  - Realistic but risky
Staging     - Safer but may differ from production
Clone       - Ideal but resource-intensive

#### Run Preliminary Scans

●[ ] Execute vulnerability scanners - Find known issues first

●[ ] Fix obvious vulnerabilities - Don't waste pentest time

●[ ] Document existing issues - Share with testers

Common Pre-Scan Tools:

# Network vulnerability scan
nmap -sV --script vuln TARGET

# Web vulnerability scan
nikto -h http://TARGET

#### Review Security Policy

●[ ] Verify compliance requirements - GDPR, PCI-DSS, HIPAA

●[ ] Document data handling rules - Sensitive data procedures

●[ ] Confirm legal authorization - Get written permission

#### Notify Hosting Provider

●[ ] Check provider policies - What testing is allowed?

●[ ] Submit authorization requests - AWS, Azure, GCP requirements

●[ ] Document approvals - Keep records

Cloud Provider Policies:

●AWS: https://aws.amazon.com/security/penetration-testing/

●Azure: https://docs.microsoft.com/security/pentest

●GCP: https://cloud.google.com/security/overview

#### Freeze Developments

●[ ] Stop deployments during testing - Maintain consistent environment

●[ ] Document current versions - Record system states

●[ ] Avoid critical patches - Unless security emergency

Phase 3: Expertise Selection

#### Find Qualified Pentesters

●[ ] Seek recommendations - Ask trusted sources

●[ ] Verify credentials - OSCP, GPEN, CEH, CREST

●[ ] Check references - Talk to previous clients

●[ ] Match expertise to scope - Web, network, mobile specialists

Evaluation Criteria:

| Factor | Questions to Ask |

|--------|------------------|

| Experience | Years in field, similar projects |

| Methodology | OWASP, PTES, custom approach |

| Reporting | Sample reports, detail level |

| Communication | Availability, update frequency |

#### Define Methodology

●[ ] Select testing standard - PTES, OWASP, NIST

●[ ] Determine access level - Black box, gray box, white box

●[ ] Agree on techniques - Manual vs. automated testing

●[ ] Set communication schedule - Updates and escalation

Testing Approaches:

| Type | Access Level | Simulates |

|------|-------------|-----------|

| Black Box | No information | External attacker |

| Gray Box | Partial access | Insider with limited access |

| White Box | Full access | Insider/detailed audit |

#### Define Report Format

●[ ] Review sample reports - Ensure quality meets needs

●[ ] Specify required sections - Executive summary, technical details

●[ ] Request machine-readable output - CSV, XML for tracking

●[ ] Agree on risk ratings - CVSS, custom scale

Report Should Include:

●Executive summary for management

●Technical findings with evidence

●Risk ratings and prioritization

●Remediation recommendations

●Retesting guidance

Phase 4: Monitoring

#### Implement Security Monitoring

●[ ] Deploy IDS/IPS - Intrusion detection systems

●[ ] Enable logging - Comprehensive audit trails

●[ ] Configure SIEM - Centralized log analysis

●[ ] Set up alerting - Real-time notifications

Monitoring Tools:

# Check security logs
tail -f /var/log/auth.log
tail -f /var/log/apache2/access.log

# Monitor network
tcpdump -i eth0 -w capture.pcap

#### Configure Logging

●[ ] Centralize logs - Aggregate from all systems

●[ ] Set retention periods - Keep logs for analysis

●[ ] Enable detailed logging - Application and system level

●[ ] Test log collection - Verify all sources working

Key Logs to Monitor:

●Authentication events

●Application errors

●Network connections

●File access

●System changes

#### Monitor Exception Tools

●[ ] Track error rates - Unusual spikes indicate testing

●[ ] Brief operations team - Distinguish testing from attacks

●[ ] Document baseline - Normal vs. pentest activity

#### Watch Security Tools

●[ ] Review IDS alerts - Separate pentest from real attacks

●[ ] Monitor WAF logs - Track blocked attempts

●[ ] Check endpoint protection - Antivirus detections

Phase 5: Remediation

#### Ensure Backups

●[ ] Verify backup integrity - Test restoration

●[ ] Document recovery procedures - Know how to restore

●[ ] Separate backup access - Protect from testing

#### Reserve Remediation Time

●[ ] Allocate team availability - Post-pentest analysis

●[ ] Schedule fix implementation - Address findings

●[ ] Plan verification testing - Confirm fixes work

#### Patch During Testing Policy

●[ ] Generally avoid patching - Maintain consistent environment

●[ ] Exception for critical issues - Security emergencies only

●[ ] Communicate changes - Inform pentesters of any changes

#### Cleanup Procedure

●[ ] Remove test artifacts - Backdoors, scripts, files

●[ ] Delete test accounts - Remove pentester access

●[ ] Restore configurations - Return to original state

●[ ] Verify cleanup complete - Audit all changes

#### Schedule Next Pentest

●[ ] Determine frequency - Annual, quarterly, after changes

●[ ] Consider continuous testing - Bug bounty, ongoing assessments

●[ ] Budget for future tests - Plan ahead

Testing Frequency Factors:

●Release frequency

●Regulatory requirements

●Risk tolerance

●Past findings severity

Quick Reference

Pre-Pentest Checklist

□ Scope defined and documented
□ Authorization obtained
□ Environment prepared
□ Hosting provider notified
□ Team briefed
□ Monitoring enabled
□ Backups verified

Post-Pentest Checklist

□ Report received and reviewed
□ Findings prioritized
□ Remediation assigned
□ Fixes implemented
□ Verification testing scheduled
□ Environment cleaned up
□ Next test scheduled

Constraints

●Production testing carries inherent risks

●Budget limitations affect thoroughness

●Time constraints may limit coverage

●Tester expertise varies significantly

●Findings become stale quickly

Examples

Example 1: Quick Scope Definition

**Target:** Corporate web application (app.company.com)
**Type:** Gray box web application pentest
**Duration:** 5 business days
**Excluded:** DoS testing, production database access
**Access:** Standard user account provided

Example 2: Monitoring Setup

# Enable comprehensive logging
sudo systemctl restart rsyslog
sudo systemctl restart auditd

# Start packet capture
tcpdump -i eth0 -w /tmp/pentest_capture.pcap &

Troubleshooting

| Issue | Solution |

|-------|----------|

| Scope creep | Document and require change approval |

| Testing impacts production | Schedule off-hours, use staging |

| Findings disputed | Provide detailed evidence, retest |

| Remediation delayed | Prioritize by risk, set deadlines |

| Budget exceeded | Define clear scope, fixed-price contracts |

Pentest Checklist

Documentation