Pre-Engagement Checklist
Before launching any attacks, ensure you have completed all necessary preparations. Missing a step here can lead to legal trouble or project failure.
Documentation Required
- Signed contract/SOW
- Signed Rules of Engagement
- Authorization letter (from system owner)
- NDA (if required)
- Insurance certificate
- Tester credentials/certifications
Scope Confirmation
- IP addresses/ranges documented
- URLs/applications listed
- Out-of-scope items clearly defined
- Third-party dependencies identified
- Cloud provider notification (if applicable)
- AWS: aws.amazon.com/security/penetration-testing
- Azure: Azure Pen Testing Docs
- GCP: No pre-approval needed for owned resources
Contact Information
- Client technical contact (24/7)
- Client emergency contact
- Escalation procedures documented
- Communication channels established
Technical Preparation
- VPN access configured (if needed)
- Credentials provided (if gray/white box)
- Testing environment verified
- Backout procedures documented
- Testing tools prepared and updated
Legal Verification
- Client has authority to authorize testing
- Testing complies with local laws
- Cross-border considerations addressed
- Data handling procedures agreed
Risk Management
- Critical systems identified
- Blackout periods documented
- Data sensitivity understood
- Incident response plan in place
Professional Standards
Maintain certifications (OSCP, CREST, CEH) for credibility. Carry professional liability insurance.
Document everything. When in doubt, get explicit written authorization.