---

name: pentest-checklist description: "Provide a comprehensive checklist for planning, executing, and following up on penetration tests. Ensure thorough preparation, proper scoping, and effective remediation of discovered vulnerabilities." risk: offensive source: community author: zebbern date_added: "2026-02-27"

AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.

Pentest Checklist

Purpose

Provide a comprehensive checklist for planning, executing, and following up on penetration tests. Ensure thorough preparation, proper scoping, and effective remediation of discovered vulnerabilities.

Inputs/Prerequisites

• Clear business objectives for testing
• Target environment information
• Budget and timeline constraints
• Stakeholder contacts and authorization
• Legal agreements and scope documents

Outputs/Deliverables

• Defined pentest scope and objectives
• Prepared testing environment
• Security monitoring data
• Vulnerability findings report
• Remediation plan and verification

Core Workflow

Phase 1: Scope Definition

Define Objectives

• [ ] Clarify testing purpose - Determine goals (find vulnerabilities, compliance, customer assurance)
• [ ] Validate pentest necessity - Ensure penetration test is the right solution
• [ ] Align outcomes with objectives - Define success criteria

Reference Questions:

• Why are you doing this pentest?
• What specific outcomes do you expect?
• What will you do with the findings?

Know Your Test Types

| Type | Purpose | Scope | |------|---------|-------| | External Pentest | Assess external attack surface | Public-facing systems | | Internal Pentest | Assess insider threat risk | Internal network | | Web Application | Find application vulnerabilities | Specific applications | | Social Engineering | Test human security | Employees, processes | | Red Team | Full adversary simulation | Entire organization |

Enumerate Likely Threats

• [ ] Identify high-risk areas - Where could damage occur?
• [ ] Assess data sensitivity - What data could be compromised?
• [ ] Review legacy systems - Old systems often have vulnerabilities
• [ ] Map critical assets - Prioritize testing targets

Define Scope

• [ ] List in-scope systems - IPs, domains, applications
• [ ] Define out-of-scope items - Systems to avoid
• [ ] Set testing boundaries - What techniques are allowed?
• [ ] Document exclusions - Third-party systems, production data

Budget Planning

| Factor | Consideration | |--------|---------------| | Asset Value | Higher value = higher investment | | Complexity | More systems = more time | | Depth Required | Thorough testing costs more | | Reputation Value | Brand-name firms cost more |

Budget Reality Check:

• Cheap pentests often produce poor results
• Align budget with asset criticality
• Consider ongoing vs. one-time testing

Phase 2: Environment Preparation

Prepare Test Environment

• [ ] Production vs. staging decision - Determine where to test
• [ ] Set testing limits - No DoS on production
• [ ] Schedule testing window - Minimize business impact
• [ ] Create test accounts - Provide appropriate access levels

Environment Options:

Production  - Realistic but risky
Staging     - Safer but may differ from production
Clone       - Ideal but resource-intensive

Run Preliminary Scans

• [ ] Execute vulnerability scanners - Find known issues first
• [ ] Fix obvious vulnerabilities - Don't waste pentest time
• [ ] Document existing issues - Share with testers

Common Pre-Scan Tools:

# Network vulnerability scan
nmap -sV --script vuln TARGET

# Web vulnerability scan
nikto -h http://TARGET

Review Security Policy

• [ ] Verify compliance requirements - GDPR, PCI-DSS, HIPAA
• [ ] Document data handling rules - Sensitive data procedures
• [ ] Confirm legal authorization - Get written permission

Notify Hosting Provider

• [ ] Check provider policies - What testing is allowed?
• [ ] Submit authorization requests - AWS, Azure, GCP requirements
• [ ] Document approvals - Keep records

Cloud Provider Policies:

• AWS: https://aws.amazon.com/security/penetration-testing/
• Azure: https://docs.microsoft.com/security/pentest
• GCP: https://cloud.google.com/security/overview

Freeze Developments

• [ ] Stop deployments during testing - Maintain consistent environment
• [ ] Document current versions - Record system states
• [ ] Avoid critical patches - Unless security emergency

Phase 3: Expertise Selection

Find Qualified Pentesters

• [ ] Seek recommendations - Ask trusted sources
• [ ] Verify credentials - OSCP, GPEN, CEH, CREST
• [ ] Check references - Talk to previous clients
• [ ] Match expertise to scope - Web, network, mobile specialists

**Evaluation C