Pretest phase

When someone first asks you to do a pentest.

  • Collect contact information (email and phone) for security exceptions, unlocking accounts, questions, updates, etc.

  • Send an email introducing yourself

  • Rules of engagement

    • Are there any blackout dates for testing (critical dates when nothing should be tested)?

    • Are there any components of the network you want me to focus on?

    • What are your biggest concerns / nightmare scenarios about security (integrity of data, DDoS?

  • Read through scope of test

  • Do initial reconnaissance check to see if any scope was missed that perhaps should be included

    • Subdomain discovery

  • Planning

    • What does this organization do?

    • What data is most important to this organization?

    • What vulnerabilities / exploits might be most likely?

PreviousActive DirectoryNextHost Discovery

Last updated