Pretest phase

When someone first asks you to do a pentest.

Collect contact information (email and phone) for security exceptions, unlocking accounts, questions, updates, etc.
Send an email introducing yourself
Rules of engagement
- Are there any blackout dates for testing (critical dates when nothing should be tested)?
- Are there any components of the network you want me to focus on?
- What are your biggest concerns / nightmare scenarios about security (integrity of data, DDoS?
Read through scope of test
Do initial reconnaissance check to see if any scope was missed that perhaps should be included
- Subdomain discovery
Planning
- What does this organization do?
- What data is most important to this organization?
- What vulnerabilities / exploits might be most likely?

Last updated 1 year ago

When someone first asks you to do a pentest.

Collect contact information (email and phone) for security exceptions, unlocking accounts, questions, updates, etc.
Send an email introducing yourself
Rules of engagement
- Are there any blackout dates for testing (critical dates when nothing should be tested)?
- Are there any components of the network you want me to focus on?
- What are your biggest concerns / nightmare scenarios about security (integrity of data, DDoS?
Read through scope of test
Do initial reconnaissance check to see if any scope was missed that perhaps should be included
- Subdomain discovery
Planning
- What does this organization do?
- What data is most important to this organization?
- What vulnerabilities / exploits might be most likely?

Last updated 1 year ago