Checklist: Are you ready for a pen test?

We’ve been conducting pen tests for 25 years now and we’ve found that a little preparation makes a big difference. For a start, it makes sure that we’re on the same page as the client and understand what they expect and when.  And that helps us deliver faster, smoother, and more valuable results — and it helps you get maximum value from the testing exercise.

Here’s a quick guide to what in most cases you (as the client) will do, what we (as the tester) will do, and what we both (working together) will do.

What will you do?

Set initial goals, scope and direction, and liaise with us as needed

This is your project and we want to deliver the outcomes you need, so we’ll need your direction and guidance on a couple of points: 

Before the testing starts:
  1. Sign our MNDA or have yours ready:
    After all, you don’t want us selling your IP on the dark web!

  2. Prepare your scope, including dates and deadlines:
    We’ll need a list (even if just brief) of systems that you’ll want us to test: Applications, IP ranges, and environments that are in-scope (and out-of-scope). Things like API definitions, data-flow diagrams, application-roles (like admin, customer manager, customer, etc.) are all really helpful and will save time later. Regarding dates and deadlines, we can be flexible here, but it’s good to have something to work with when doing initial scoping.

  3. Communicate special requirements:
    Let us know early if you have customer, partner, insurance, or compliance-driven needs — such as special reporting formats or evidence requirements.

  4. Review our proposal:
    Even if it takes a couple of revisions, we’ll aim to get the scope and price you’re looking for. Assuming we’re successful, you’ll sign off the proposal and we’ll be good to go.
Just prior to and during testing (after sign-off)
  1. Provide us with access and credentials (if needed).
    Depending on the goals and scope of the assessment, you’ll grant us access to the target(s) of assessment and provide us with test-account credentials, API keys, etc., if required.

  2. Schedule maintenance windows and update stakeholders (if needed):
    We’d prefer to test in a non-prod environment but sometimes that’s not possible. If testing might affect availability, enable a maintenance window and/or update the security and incident-response teams as/if needed.

  3. Attend the planning meeting and agree upon the detailed project Plan that will describe a detailed set of milestones and corresponding deliverables, as well as clearly defined criteria for success.

  4. Prepare for remediation and liaise as agreed-upon in the project Plan.
    It’s always good to be on the same page when it comes to progress, blockers, deadlines, etc., and you should be ready to prioritize and act on any critical vulnerabilities that we find.

What will dotSec do?

Gather requirements for the targets of assessment, and get testing!

Some of these tasks might need to be varied but we’ll generally follow this kind of plan:

Before the testing starts:
  1. Counter-sign the agreed MNDA:
    Yeah, yeah, insert dark-web joke here 🙂

  2. Request details regarding the target(s) of assessment:
    Depending on the type of assessment, we’ll ask about things like API definitions, application roles and permissions, network configuration and access, etc.  We’ve got a simple estimation tool that we’ll share with you to make this step a bit less painful for you.

  3. Arrange a scope-confirmation video-call:
    In some cases, it’s good to have a quick chat about the above points, answer questions and confirm we’re on the same page, and perhaps also have a walk-through/screen-share so we can confirm we have a thorough understanding of what you need and what we’re testing.  The clearer we are, the more targeted and value-for-money our proposal will be.

  4. Prepare the proposal and deliver it to you for review.  Consider any requests for change and then provide you with the final version of the proposal for final review… and hopefully, sign-off!
Just prior to and during testing (after sign-off)
  1. Facilitate the planning meeting so we can agree upon the detailed, documented project Plan. The Plan will include the start and completion dates, agreed Rules Of Engagement,  a detailed set of deadlines and milestones together with their corresponding deliverables, and clearly defined criteria for success. Deliver the Plan to you for acceptance.

  2. Begin the testing project as per the Plan.

  3. Notify you of important insights as per the Plan. For example, we’ll let you know if we find unexpected complexities (like undocumented systems or critical apps), we’ll work with you to adapt testing safely and effectively if needed, and we’ll share high-priority findings early so you can begin to address them as soon as they are confirmed.

  4. Complete the project, deliver the Final Report and conduct and facilitate at least one post-report meeting with you so you can ask questions, get advice and provide any suggestions or feedback. 

We welcome all questions and comments related to the above project outline. No two assessments are the same and there is always room for variation, so give us a call;  we’re happy to discuss your specific requirements at any time.  

Let us know how we can help

Read our testing and assessment news!

Let us know how we can help