handbook/01 - Planning.md
2024-08-31 01:50:46 +02:00

1.4 KiB

Target Audience

  • Identify targets of the engagement
  • Identify scope and size of the engagement
  • Surface area of engagement

Objective

Asses reasons for the assessment. Security, risk assessments, customer personal data protection, etc.

Identify Protected Assets

ASSET INVENTORY

RISK REGISTER

Compliance

Establish guidelines (or necessity) for compliance with internal and external regulations or standards. Example: PCI DSS, GDPR, HIPPA, etc

  • Strictly defined surface area of engagement

Statement of Work

Non-Disclosure Agreement

Request for Information (RFI)

Resources

  1. Define budgeting requirements for the campaign.
  2. Identify target's accessibility:
    • Physical access
    • Remote access
    • Tooling required

Communication Plan

  1. Aquire Trusted Agent(s) within the company for trusted communication
  2. Establish communication guidelines and information access control rules during engagement (who knows what)
  3. Establish escalation procedures

Product/Report

Establish reporting guidelines

PENTEST REPORT TEMPLATE

Technical Constraints

Identify and establish all technical restrictions during the engagement. What parts of the infrastructure is tested and what is out of scope.

Comprehensiveness

Identify specifics on the engagement, what parts of the infrastructure is tested, what type of vulnerabilities, etc.