Pentest Checklist Studio

Plan, execute, and track penetration testing engagements with comprehensive checklists covering pre-engagement, reconnaissance, vulnerability assessment, exploitation, post-exploitation, and reporting phases. This skill provides structured testing workflows and ensures thorough coverage of the attack surface.

When to Use This Skill

Choose Pentest Checklist Studio when you need to:

• Plan a structured penetration testing engagement from start to finish
• Ensure comprehensive coverage across all testing phases and vectors
• Track progress during multi-day assessments
• Generate testing methodology documentation for compliance requirements

Consider alternatives when:

• You need specific attack techniques (use domain-specific skills)
• You need automated scanning (use Nessus, OpenVAS, or Qualys)
• You need bug bounty-specific workflows (use API Fuzzing or web-specific skills)

Quick Start

Copy
from dataclasses import dataclass, field
from typing import List, Dict, Optional
from datetime import date, datetime
from enum import Enum
import json

class CheckStatus(Enum):
    NOT_STARTED = "not_started"
    IN_PROGRESS = "in_progress"
    COMPLETED = "completed"
    NOT_APPLICABLE = "n/a"
    BLOCKED = "blocked"

@dataclass
class CheckItem:
    id: str
    category: str
    description: str
    status: CheckStatus = CheckStatus.NOT_STARTED
    notes: str = ""
    tools: List[str] = field(default_factory=list)

@dataclass
class PentestChecklist:
    engagement_name: str
    scope: List[str]
    start_date: date
    items: List[CheckItem] = field(default_factory=list)

    def add_standard_checks(self):
        """Add standard penetration testing checklist items."""
        standard_checks = [
            # Pre-engagement
            ("PRE-01", "Pre-engagement", "Signed rules of engagement / authorization"),
            ("PRE-02", "Pre-engagement", "Scope definition (IPs, domains, exclusions)"),
            ("PRE-03", "Pre-engagement", "Emergency contacts documented"),
            ("PRE-04", "Pre-engagement", "Testing window confirmed"),
            ("PRE-05", "Pre-engagement", "VPN/access credentials received"),

            # Reconnaissance
            ("REC-01", "Reconnaissance", "DNS enumeration (subdomains, records)"),
            ("REC-02", "Reconnaissance", "OSINT on organization and employees"),
            ("REC-03", "Reconnaissance", "Technology stack identification"),
            ("REC-04", "Reconnaissance", "Certificate transparency log search"),
            ("REC-05", "Reconnaissance", "Port scanning all in-scope targets"),

            # Web Application
            ("WEB-01", "Web Application", "Authentication testing (brute force, lockout)"),
            ("WEB-02", "Web Application", "Session management testing"),
            ("WEB-03", "Web Application", "Input validation (SQLi, XSS, command injection)"),
            ("WEB-04", "Web Application", "Authorization testing (IDOR, privilege escalation)"),
            ("WEB-05", "Web Application", "File upload testing"),
            ("WEB-06", "Web Application", "API endpoint security"),
            ("WEB-07", "Web Application", "Business logic flaws"),

            # Network
            ("NET-01", "Network", "Service enumeration on all open ports"),
            ("NET-02", "Network", "Default credential testing"),
            ("NET-03", "Network", "SSL/TLS configuration assessment"),
            ("NET-04", "Network", "Network segmentation verification"),
            ("NET-05", "Network", "Internal network scanning (if in scope)"),

            # Post-exploitation
            ("POST-01", "Post-exploitation", "Privilege escalation attempted"),
            ("POST-02", "Post-exploitation", "Lateral movement tested"),
            ("POST-03", "Post-exploitation", "Data exfiltration simulation"),
            ("POST-04", "Post-exploitation", "Persistence mechanism testing"),

            # Reporting
            ("RPT-01", "Reporting", "All findings documented with evidence"),
            ("RPT-02", "Reporting", "CVSS scores assigned to all findings"),
            ("RPT-03", "Reporting", "Executive summary written"),
            ("RPT-04", "Reporting", "Remediation guidance provided"),
            ("RPT-05", "Reporting", "Testing artifacts cleaned up"),
        ]

        for id_, cat, desc in standard_checks:
            self.items.append(CheckItem(id=id_, category=cat, description=desc))

    def progress_report(self) -> str:
        """Generate progress summary."""
        by_category = {}
        for item in self.items:
            by_category.setdefault(item.category, []).append(item)

        lines = [f"PENTEST PROGRESS — {self.engagement_name}",
                 f"Scope: {', '.join(self.scope)}", ""]
        for cat, items in by_category.items():
            done = sum(1 for i in items if i.status in
                       (CheckStatus.COMPLETED, CheckStatus.NOT_APPLICABLE))
            lines.append(f"{cat}: {done}/{len(items)} complete")
            for item in items:
                icon = {'completed': '+', 'in_progress': '~',
                        'not_started': ' ', 'n/a': '-',
                        'blocked': '!'}[item.status.value]
                lines.append(f"  [{icon}] {item.id}: {item.description}")
        return '\n'.join(lines)

# Usage
checklist = PentestChecklist(
    engagement_name="Acme Corp Q1 2025",
    scope=["*.acme.com", "10.0.0.0/24"],
    start_date=date.today(),
)
checklist.add_standard_checks()
print(checklist.progress_report())

Core Concepts

Testing Phase Breakdown

Phase	Duration (typical)	Key Deliverables
Pre-engagement	1-3 days	Signed ROE, scope document, access setup
Reconnaissance	1-2 days	Asset inventory, technology map, attack surface
Vulnerability Assessment	2-3 days	Scan results, verified vulnerabilities
Exploitation	2-5 days	Successful exploits, access evidence
Post-exploitation	1-3 days	Lateral movement map, data access proof
Reporting	2-3 days	Executive summary, technical report, remediation

Configuration

Parameter	Description	Default
engagement_type	Assessment type (network, web, cloud, mobile)	Required
scope_type	Black-box, gray-box, or white-box	"gray-box"
testing_standard	Methodology (PTES, OWASP, NIST)	"PTES"
report_format	Final report format	"PDF"
severity_rating	Rating system (CVSS, custom)	"CVSS 3.1"
retest_included	Whether remediation retest is included	true
evidence_retention	How long to keep evidence	90 days
checklist_template	Starting checklist template	"standard"

Best Practices

1. Complete pre-engagement checks before any testing begins — Never start testing without signed authorization, confirmed scope, and emergency contacts. Missing any of these items exposes the tester to legal liability and the client to unexpected service disruptions.

2. Track every check item with evidence and notes — For each completed checklist item, note the tools used, commands run, and results found. This creates an audit trail that supports the final report and helps if findings are questioned during remediation verification.

3. Prioritize testing based on business-critical assets — Start with internet-facing assets, authentication systems, and data stores that contain sensitive information. If time is limited, testing the most impactful targets first maximizes engagement value.

4. Review the checklist daily during multi-day engagements — Check progress against the planned timeline each day. Adjust priorities if certain areas are taking longer than expected. Communicate scope or timeline concerns to the client early rather than rushing the final phases.

5. Always complete the cleanup and reporting phases — It's tempting to end after finding high-severity vulnerabilities, but incomplete cleanup leaves artifacts on client systems, and incomplete reports don't give the client actionable remediation guidance. Budget time for these phases.

Common Issues

Checklist is too generic for the specific engagement type — Customize the standard checklist for each engagement. A web application test needs OWASP Testing Guide checks; a network test needs more infrastructure items. Remove irrelevant checks and add client-specific items based on the scope.

Testing falls behind schedule on complex targets — Allocate buffer time (10-20% of total engagement duration) for unexpected complexity. If falling behind, prioritize high-value targets and communicate timeline adjustments to the client. Never sacrifice reporting quality to catch up.

Client changes scope mid-engagement — Document any scope changes in writing and adjust the timeline and checklist accordingly. Adding targets without extending the engagement reduces coverage quality. Push back professionally and propose options (extend timeline, defer new targets to a follow-up).