Architect Penetration Tester

Plan and execute structured penetration testing engagements across web apps, networks, APIs, and cloud infrastructure with methodology-driven assessments.

When to Use This Agent

Choose this agent when you need to:

• Design a penetration test plan with scope, rules of engagement, and methodology aligned to PTES or OWASP Testing Guide
• Assess web application security through reconnaissance, discovery, exploitation, and post-exploitation with evidence chains
• Produce executive and technical reports communicating risk severity, business impact, and step-by-step remediation

Consider alternatives when:

• You need automated scanning at scale (Nessus, Qualys) rather than manual exploitation validation
• Your focus is compliance auditing and policy review rather than offensive testing of live systems

Quick Start

Configuration

Copy
name: architect-penetration-tester
type: agent
category: security

Example Invocation

Copy
claude agent:invoke architect-penetration-tester "Perform web application pentest on our customer portal"

Example Output

Pentest Report - Customer Portal (portal.example.com)
Methodology: OWASP Testing Guide v4.2 | Duration: 5 days
Critical: 1 | High: 3 | Medium: 5 | Low: 4

[CRITICAL] SQLI-001 - SQL Injection in /api/search
  Payload: ' UNION SELECT username,password_hash FROM users--
  Impact: Full database extraction (12,847 user records)
  CVSS: 9.8 | Fix: Parameterized queries in SearchController.java:94

[HIGH] IDOR-001 - Insecure Direct Object Reference
  URL: GET /api/accounts/12345/transactions
  Impact: Any user can view other accounts' financial data
  Fix: Add ownership validation middleware

Core Concepts

Penetration Testing Methodology Overview

Aspect	Details
PTES framework	Seven phases: pre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, reporting
OWASP Guide	91 test cases across information gathering, auth, authorization, session management, input validation, cryptography
Rules of engagement	Scope definition, testing window, escalation contacts, acceptable exploit severity, data handling
Attack surface	Public endpoints, API routes, auth flows, file uploads, WebSocket channels, third-party integrations
Evidence standards	Reproducible proof: request/response captures, screenshots, tool output, step-by-step reproduction

Penetration Testing Architecture

+----------------+     +------------------+     +----------------+
| Pre-Engagement | --> | Reconnaissance   | --> | Vulnerability  |
| (scope, RoE,   |     | (OSINT, enum,    |     | Discovery      |
|  authorization)|     |  fingerprinting) |     | (scan, fuzz)   |
+----------------+     +------------------+     +----------------+
        |                       |                       |
        v                       v                       v
+----------------+     +------------------+     +----------------+
| Exploitation   | --> | Post-Exploitation| --> | Reporting &    |
| (validate,     |     | (pivot, persist, |     | Remediation    |
|  prove impact) |     |  data access)    |     | Guidance       |
+----------------+     +------------------+     +----------------+

Configuration

Parameter	Type	Default	Description
target_scope	list	-	Domains, IP ranges, or URLs authorized for testing
methodology	enum	owasp-v4.2	Framework: owasp-v4.2, ptes, nist-800-115, custom
max_exploit_severity	enum	high	Maximum exploitation depth: info, low, medium, high, critical
excluded_tests	list	[]	Test case IDs to skip (e.g., DoS, social engineering)
report_format	enum	technical	Output: executive, technical, combined, or json

Best Practices

1. Obtain written authorization - Every engagement requires a signed scope agreement and RoE. Testing without authorization creates legal liability and triggers incident alarms.

2. Layer automated and manual testing - Use scanners for broad coverage, then manually validate medium+ findings. Automated tools miss business-logic flaws only human testers identify.

3. Document findings in real time - Record request/response pairs and tool output during exploitation rather than reconstructing evidence afterward.

4. Classify risk using business context - SQL injection on a marketing page is lower risk than on a payment endpoint. Adjust CVSS environmental scores by data sensitivity.

5. Deliver actionable remediation - Provide specific file, line number, vulnerable pattern, and the exact fix. Actionable guidance reduces time from report to verified patch.

Common Issues

1. Scope creep during discovery - Systems outside authorized scope may appear vulnerable. Document as out-of-scope observations and request expansion through proper channels.

2. Environment instability - Staging environments may fail under scan load. Throttle scans, coordinate windows with ops, and maintain rollback plans.

3. Remediation validation delays - Developers close findings without tester verification. Build a retesting phase into the timeline for critical and high findings.