Pentest Checklist

Purpose

Provide a comprehensive checklist for planning, executing, and following up on penetration tests. Ensure thorough preparation, proper scoping, and effective remediation of discovered vulnerabilities.

Inputs/Prerequisites

• Clear business objectives for testing
• Target environment information
• Budget and timeline constraints
• Stakeholder contacts and authorization
• Legal agreements and scope documents

Outputs/Deliverables

• Defined pentest scope and objectives
• Prepared testing environment
• Security monitoring data
• Vulnerability findings report
• Remediation plan and verification

Core Workflow

Phase 1: Scope Definition

Define Objectives

• [ ] Clarify testing purpose - Determine goals (find vulnerabilities, compliance, customer assurance)
• [ ] Validate pentest necessity - Ensure penetration test is the right solution
• [ ] Align outcomes with objectives - Define success criteria

Reference Questions:

• Why are you doing this pentest?
• What specific outcomes do you expect?
• What will you do with the findings?

Know Your Test Types

| Type | Purpose | Scope | |------|---------|-------| | External Pentest | Assess external attack surface | Public-facing systems | | Internal Pentest | Assess insider threat risk | Internal network | | Web Application | Find application vulnerabilities | Specific applications | | Social Engineering | Test human security | Employees, processes | | Red Team | Full adversary simulation | Entire organization |

Enumerate Likely Threats

• [ ] Identify high-risk areas - Where could damage occur?
• [ ] Assess data sensitivity - What data could be compromised?
• [ ] Review legacy systems - Old systems often have vulnerabilities
• [ ] Map critical assets - Prioritize testing targets

Define Scope

• [ ] List in-scope systems - IPs, domains, applications
• [ ] Define out-of-scope items - Systems to avoid
• [ ] Set testing boundaries - What techniques are allowed?
• [ ] Document exclusions - Third-party systems, production data

Budget Planning

| Factor | Consideration | |--------|---------------| | Asset Value | Higher value = higher investment | | Complexity | More systems = more time | | Depth Required | Thorough testing costs more | | Reputation Value | Brand-name firms cost more |

Budget Reality Check:

• Cheap pentests often produce poor results
• Align budget with asset criticality
• Consider ongoing vs. one-time testing

Phase 2: Environment Preparation

Prepare Test Environment

• [ ] Production vs. staging decision - Determine where to test
• [ ] Set testing limits - No DoS on production
• [ ] Schedule testing window - Minimize business impact
• [ ] Create test accounts - Provide appropriate access levels

Environment Options:

Production  - Realistic but risky
Staging     - Safer but may differ from production
Clone       - Ideal but resource-intensive

Run Preliminary Scans

• [ ] Execute vulnerability scanners - Find known issues first
• [ ] Fix obvious vulnerabilities - Don't waste pentest time
• [ ] Document existing issues - Share with testers

Common Pre-Scan Tools:

# Network vulnerability scan
nmap -sV --script vuln TARGET

# Web vulnerability scan
nikto -h http://TARGET

Review Security Policy

• [ ] Verify compliance requirements - GDPR, PCI-DSS, HIPAA
• [ ] Document data handling rules - Sensitive data procedures
• [ ] Confirm legal authorization - Get written permission

Notify Hosting Provider

• [ ] Check provider policies - What testing is allowed?
• [ ] Submit authorization requests - AWS, Azure, GCP requirements
• [ ] Document approvals - Keep records

Cloud Provider Policies:

• AWS: https://aws.amazon.com/security/penetration-testing/
• Azure: https://docs.microsoft.com/security/pentest
• GCP: https://cloud.google.com/security/overview

Freeze Developments

• [ ] Stop deployments during testing - Maintain consistent environment
• [ ] Document current versions - Record system states
• [ ] Avoid critical patches - Unless security emergency

Phase 3: Expertise Selection

Find Qualified Pentesters

• [ ] Seek recommendations - Ask trusted sources
• [ ] Verify credentials - OSCP, GPEN, CEH, CREST
• [ ] Check references - Talk to previous clients
• [ ] Match expertise to scope - Web, network, mobile specialists

Evaluation Criteria:

| Factor | Questions to Ask | |--------|------------------| | Experience | Years in field, similar projects | | Methodology | OWASP, PTES, custom approach | | Reporting | Sample reports, detail level | | Communication | Availability, update frequency |

Define Methodology

• [ ] Select testing standard - PTES, OWASP, NIST
• [ ] Determine access level - Black box, gray box, white box
• [ ] Agree on techniques - Manual vs. automated testing
• [ ] Set communication schedule - Updates and escalation

Testing Approaches:

| Type | Access Level | Simulates | |------|-------------|-----------| | Black Box | No information | External attacker | | Gray Box | Partial access | Insider with limited access | | White Box | Full access | Insider/detailed audit |

Define Report Format

• [ ] Review sample reports - Ensure quality meets needs
• [ ] Specify required sections - Executive summary, technical details
• [ ] Request machine-readable output - CSV, XML for tracking
• [ ] Agree on risk ratings - CVSS, custom scale

Report Should Include:

• Executive summary for management
• Technical findings with evidence
• Risk ratings and prioritization
• Remediation recommendations
• Retesting guidance

Phase 4: Monitoring

Implement Security Monitoring

• [ ] Deploy IDS/IPS - Intrusion detection systems
• [ ] Enable logging - Comprehensive audit trails
• [ ] Configure SIEM - Centralized log analysis
• [ ] Set up alerting - Real-time notifications

Monitoring Tools:

# Check security logs
tail -f /var/log/auth.log
tail -f /var/log/apache2/access.log

# Monitor network
tcpdump -i eth0 -w capture.pcap

Configure Logging

• [ ] Centralize logs - Aggregate from all systems
• [ ] Set retention periods - Keep logs for analysis
• [ ] Enable detailed logging - Application and system level
• [ ] Test log collection - Verify all sources working

Key Logs to Monitor:

• Authentication events
• Application errors
• Network connections
• File access
• System changes

Monitor Exception Tools

• [ ] Track error rates - Unusual spikes indicate testing
• [ ] Brief operations team - Distinguish testing from attacks
• [ ] Document baseline - Normal vs. pentest activity

Watch Security Tools

• [ ] Review IDS alerts - Separate pentest from real attacks
• [ ] Monitor WAF logs - Track blocked attempts
• [ ] Check endpoint protection - Antivirus detections

Phase 5: Remediation

Ensure Backups

• [ ] Verify backup integrity - Test restoration
• [ ] Document recovery procedures - Know how to restore
• [ ] Separate backup access - Protect from testing

Reserve Remediation Time

• [ ] Allocate team availability - Post-pentest analysis
• [ ] Schedule fix implementation - Address findings
• [ ] Plan verification testing - Confirm fixes work

Patch During Testing Policy

• [ ] Generally avoid patching - Maintain consistent environment
• [ ] Exception for critical issues - Security emergencies only
• [ ] Communicate changes - Inform pentesters of any changes

Cleanup Procedure

• [ ] Remove test artifacts - Backdoors, scripts, files
• [ ] Delete test accounts - Remove pentester access
• [ ] Restore configurations - Return to original state
• [ ] Verify cleanup complete - Audit all changes

Schedule Next Pentest

• [ ] Determine frequency - Annual, quarterly, after changes
• [ ] Consider continuous testing - Bug bounty, ongoing assessments
• [ ] Budget for future tests - Plan ahead

Testing Frequency Factors:

• Release frequency
• Regulatory requirements
• Risk tolerance
• Past findings severity

Quick Reference

Pre-Pentest Checklist

□ Scope defined and documented
□ Authorization obtained
□ Environment prepared
□ Hosting provider notified
□ Team briefed
□ Monitoring enabled
□ Backups verified

Post-Pentest Checklist

□ Report received and reviewed
□ Findings prioritized
□ Remediation assigned
□ Fixes implemented
□ Verification testing scheduled
□ Environment cleaned up
□ Next test scheduled

Constraints

• Production testing carries inherent risks
• Budget limitations affect thoroughness
• Time constraints may limit coverage
• Tester expertise varies significantly
• Findings become stale quickly

Examples

Example 1: Quick Scope Definition

**Target:** Corporate web application (app.company.com)
**Type:** Gray box web application pentest
**Duration:** 5 business days
**Excluded:** DoS testing, production database access
**Access:** Standard user account provided

Example 2: Monitoring Setup

# Enable comprehensive logging
sudo systemctl restart rsyslog
sudo systemctl restart auditd

# Start packet capture
tcpdump -i eth0 -w /tmp/pentest_capture.pcap &

Troubleshooting

| Issue | Solution | |-------|----------| | Scope creep | Document and require change approval | | Testing impacts production | Schedule off-hours, use staging | | Findings disputed | Provide detailed evidence, retest | | Remediation delayed | Prioritize by risk, set deadlines | | Budget exceeded | Define clear scope, fixed-price contracts |