Free Checklist

PENETRATION TEST PREPARATION CHECKLIST

Organizations that prepare before a penetration test get significantly more value from the engagement. Use this checklist to define scope, align stakeholders, establish rules of engagement, and plan for what comes after.

How to use this checklist

  • Work through this checklist before the engagement begins — most items require internal coordination.
  • Share relevant sections with your testing vendor during scoping calls.
  • The "Considerations" column on each section captures judgment calls that trip up first-time buyers.
  1. 1

    Define Scope and Objectives

    Pre-Engagement

    Preparation checks

    • Determine test type: external network, internal network, web application, wireless, or social engineering.
    • Identify the primary goal — compliance, insurance requirement, risk reduction, or all three.
    • Decide on testing approach: black box (no prior knowledge), gray box (partial context), or white box (full documentation).
    • Document what a successful engagement outcome looks like for your organization.

    Key considerations

    • Gray box testing delivers the best risk-to-cost ratio for most small and mid-sized businesses.
    • Compliance-driven tests (FTC Safeguards, PCI DSS, SOC 2) often have minimum scope requirements — confirm before scoping.
    • Broad scope increases cost; focus on highest-risk assets if budget-constrained.
  2. 2

    Inventory In-Scope Assets

    Pre-Engagement

    Preparation checks

    • List all external-facing IP addresses and domain names to be tested.
    • Identify web applications, APIs, customer portals, and authenticated endpoints in scope.
    • Document cloud environments and their account and project boundaries.
    • Explicitly list out-of-scope assets and the reason they are excluded.

    Key considerations

    • Incomplete asset inventories are the most common source of scope gaps.
    • Recently launched or changed systems carry the highest risk — prioritize them.
    • Shadow IT and forgotten test environments should be reviewed and either explicitly included or excluded.
  3. 3

    Notify and Coordinate Stakeholders

    Pre-Engagement

    Preparation checks

    • Brief IT and security operations staff so test traffic is not blocked or misidentified as a real attack.
    • Notify leadership and legal; document internal authorization in writing before testing begins.
    • Inform cloud providers if required — AWS, Azure, and GCP each have penetration testing notification policies.
    • Identify a primary point of contact who can answer tester questions in real time.

    Key considerations

    • Testing cloud-hosted resources without provider notification may violate acceptable use terms.
    • Keep the notification list tight — broad distribution can cause inadvertent test interference.
  4. 4

    Establish Rules of Engagement

    Pre-Engagement

    Preparation checks

    • Define authorized testing hours — business hours only vs. 24/7 authorization.
    • Specify prohibited techniques: denial-of-service, ransomware simulation, or production data exfiltration.
    • Agree on immediate escalation criteria — findings that require notification before the final report.
    • Define the data handling and retention policy for test artifacts and findings.

    Key considerations

    • Business-hours restrictions reduce risk to production systems but may miss after-hours attack surface.
    • Escalation criteria should include active exploitation of critical systems or discovery of active threat actor activity.
  5. 5

    Prepare Documentation and Test Access

    Pre-Engagement

    Preparation checks

    • Provide architecture diagrams and network topology for white or gray box engagements.
    • Create dedicated test accounts with realistic permission levels; do not use actual employee credentials.
    • Set up VPN or jump-box access for internal-network tests if required.
    • Share application credentials, environment URLs, and API documentation for web application tests.

    Key considerations

    • Test accounts should mirror real user permission levels to simulate realistic attack paths.
    • Rotate all test credentials immediately after the engagement completes — do not reuse them.
  6. 6

    Configure Security Monitoring Intentionally

    During Engagement

    Preparation checks

    • Decide whether to test detection capability (tester traffic blends in, you measure how much you catch) or disable detection for coverage testing.
    • If testing detection: brief your SOC or IT team on evaluation criteria before the test begins.
    • If disabling detection: document the window and scope formally and re-enable promptly after.
    • Document baseline security tool performance before the test window opens.

    Key considerations

    • Testing detection is more valuable when mature security operations are in place.
    • Disabling detection for coverage testing is a valid and common approach for organizations building their first security program.
  7. 7

    Assign Internal Response Capacity

    During Engagement

    Preparation checks

    • Designate a named internal owner who is reachable during the engagement window.
    • Define an emergency stop procedure if testing causes unexpected production disruption.
    • Ensure IT staff have capacity to address critical findings in real time if the tester identifies active exploitation.
    • Document who is authorized to expand or reduce scope mid-engagement.

    Key considerations

    • Abort criteria should be clearly defined but not so sensitive that routine test traffic triggers them.
  8. 8

    Plan Remediation and Retesting

    Post-Engagement

    Preparation checks

    • Schedule a debrief call with the testing team before the report is formally delivered.
    • Establish a tracking process for all findings: owner, severity, due date, and status.
    • Prioritize critical and high findings for remediation within 30 days.
    • Budget for a retest of critical findings within 60–90 days to validate fixes.

    Key considerations

    • Findings without assigned owners and deadlines rarely get remediated.
    • Cyber insurance carriers and compliance auditors increasingly want evidence of remediation, not just the original test report.
    • Retesting validates fixes without requiring a full new engagement — typically much lower cost.

Ready to schedule a penetration test?

Prometheus conducts external network, internal network, and web application penetration tests for small and mid-sized businesses. We walk you through scoping, handle the engagement, and deliver findings with practical remediation guidance.

Request a consultation