Pentest Checklist

Purpose

Provide a comprehensive checklist for planning, executing, and following up on penetration tests. Ensure thorough preparation, proper scoping, and effective remediation of discovered vulnerabilities.

Inputs/Prerequisites

• Clear business objectives for testing
• Target environment information
• Budget and timeline constraints
• Stakeholder contacts and authorization
• Legal agreements and scope documents

Outputs/Deliverables

• Defined pentest scope and objectives
• Prepared testing environment
• Security monitoring data
• Vulnerability findings report
• Remediation plan and verification

Core Workflow

Phase 1: Scope Definition

Define Objectives

• Clarify testing purpose – Determine goals (find vulnerabilities, compliance, customer assurance)
• Validate pentest necessity – Ensure penetration test is the right solution
• Align outcomes with objectives – Define success criteria

Reference Questions:

• Why are you doing this pentest?
• What specific outcomes do you expect?
• What will you do with the findings?

Know Your Test Types

Enumerate Likely Threats

• Identify high-risk areas – Where could damage occur?
• Assess data sensitivity – What data could be compromised?
• Review legacy systems – Old systems often have vulnerabilities
• Map critical assets – Prioritize testing targets

Define Scope

• List in-scope systems – IPs, domains, applications
• Define out-of-scope items – Systems to avoid
• Set testing boundaries – What techniques are allowed?
• Document exclusions – Third-party systems, production data

Budget Planning

Budget Reality Check:

• Cheap pentests often produce poor results
• Align budget with asset criticality
• Consider ongoing vs. one-time testing

Phase 2: Environment Preparation

Prepare Test Environment

• Production vs. staging decision – Determine where to test
• Set testing limits – No DoS on production
• Schedule testing window – Minimize business impact
• Create test accounts – Provide appropriate access levels

Environment Options:

Production  - Realistic but risky
Staging     - Safer but may differ from production
Clone       - Ideal but resource-intensive

Run Preliminary Scans

• Execute vulnerability scanners – Find known issues first
• Fix obvious vulnerabilities – Don’t waste pentest time
• Document existing issues – Share with testers

Common Pre-Scan Tools:

# Network vulnerability scan
nmap -sV --script vuln TARGET

# Web vulnerability scan
nikto -h http://TARGET

Review Security Policy

• Verify compliance requirements – GDPR, PCI-DSS, HIPAA
• Document data handling rules – Sensitive data procedures
• Confirm legal authorization – Get written permission

Notify Hosting Provider

• Check provider policies – What testing is allowed?
• Submit authorization requests – AWS, Azure, GCP requirements
• Document approvals – Keep records

Cloud Provider Policies:

• AWS: https://aws.amazon.com/security/penetration-testing/
• Azure: https://docs.microsoft.com/security/pentest
• GCP: https://cloud.google.com/security/overview

Freeze Developments

• Stop deployments during testing – Maintain consistent environment
• Document current versions – Record system states
• Avoid critical patches – Unless security emergency

Phase 3: Expertise Selection

Find Qualified Pentesters

• Seek recommendations – Ask trusted sources
• Verify credentials – OSCP, GPEN, CEH, CREST
• Check references – Talk to previous clients
• Match expertise to scope – Web, network, mobile specialists

Evaluation Criteria:

Define Methodology

• Select testing standard – PTES, OWASP, NIST
• Determine access level – Black box, gray box, white box
• Agree on techniques – Manual vs. automated testing
• Set communication schedule – Updates and escalation

Testing Approaches:

Define Report Format

• Review sample reports – Ensure quality meets needs
• Specify required sections – Executive summary, technical details
• Request machine-readable output – CSV, XML for tracking
• Agree on risk ratings – CVSS, custom scale

Report Should Include:

• Executive summary for management
• Technical findings with evidence
• Risk ratings and prioritization
• Remediation recommendations
• Retesting guidance

Phase 4: Monitoring

Implement Security Monitoring

• Deploy IDS/IPS – Intrusion detection systems
• Enable logging – Comprehensive audit trails
• Configure SIEM – Centralized log analysis
• Set up alerting – Real-time notifications

Monitoring Tools:

# Check security logs
tail -f /var/log/auth.log
tail -f /var/log/apache2/access.log

# Monitor network
tcpdump -i eth0 -w capture.pcap

Configure Logging

• Centralize logs – Aggregate from all systems
• Set retention periods – Keep logs for analysis
• Enable detailed logging – Application and system level
• Test log collection – Verify all sources working

Key Logs to Monitor:

• Authentication events
• Application errors
• Network connections
• File access
• System changes

Monitor Exception Tools

• Track error rates – Unusual spikes indicate testing
• Brief operations team – Distinguish testing from attacks
• Document baseline – Normal vs. pentest activity

Watch Security Tools

• Review IDS alerts – Separate pentest from real attacks
• Monitor WAF logs – Track blocked attempts
• Check endpoint protection – Antivirus detections

Phase 5: Remediation

Ensure Backups

• Verify backup integrity – Test restoration
• Document recovery procedures – Know how to restore
• Separate backup access – Protect from testing

Reserve Remediation Time

• Allocate team availability – Post-pentest analysis
• Schedule fix implementation – Address findings
• Plan verification testing – Confirm fixes work

Patch During Testing Policy

• Generally avoid patching – Maintain consistent environment
• Exception for critical issues – Security emergencies only
• Communicate changes – Inform pentesters of any changes

Cleanup Procedure

• Remove test artifacts – Backdoors, scripts, files
• Delete test accounts – Remove pentester access
• Restore configurations – Return to original state
• Verify cleanup complete – Audit all changes

Schedule Next Pentest

• Determine frequency – Annual, quarterly, after changes
• Consider continuous testing – Bug bounty, ongoing assessments
• Budget for future tests – Plan ahead

Testing Frequency Factors:

• Release frequency
• Regulatory requirements
• Risk tolerance
• Past findings severity

Quick Reference

Pre-Pentest Checklist

□ Scope defined and documented
□ Authorization obtained
□ Environment prepared
□ Hosting provider notified
□ Team briefed
□ Monitoring enabled
□ Backups verified

Post-Pentest Checklist

□ Report received and reviewed
□ Findings prioritized
□ Remediation assigned
□ Fixes implemented
□ Verification testing scheduled
□ Environment cleaned up
□ Next test scheduled

Constraints

• Production testing carries inherent risks
• Budget limitations affect thoroughness
• Time constraints may limit coverage
• Tester expertise varies significantly
• Findings become stale quickly

Examples

Example 1: Quick Scope Definition

**Target:** Corporate web application (app.company.com)
**Type:** Gray box web application pentest
**Duration:** 5 business days
**Excluded:** DoS testing, production database access
**Access:** Standard user account provided

Example 2: Monitoring Setup

# Enable comprehensive logging
sudo systemctl restart rsyslog
sudo systemctl restart auditd

# Start packet capture
tcpdump -i eth0 -w /tmp/pentest_capture.pcap &

Troubleshooting