Before the Engagement
Scope Definition
- ☐ Define in-scope IP addresses, domains, and applications
- ☐ Identify out-of-scope systems and restrictions
- ☐ Determine testing type (black box, gray box, white box)
- ☐ Specify testing hours and blackout periods
- ☐ Document any production system limitations
Authorization & Legal
- ☐ Obtain written authorization from system owners
- ☐ Sign engagement letters and NDAs
- ☐ Document Rules of Engagement (ROE)
- ☐ Verify third-party hosting permissions if applicable
- ☐ Confirm incident response contacts
Technical Preparation
- ☐ Provide network diagrams and architecture documentation
- ☐ Create test accounts if needed (for authenticated testing)
- ☐ Whitelist tester IP addresses in security tools
- ☐ Document current security controls in place
- ☐ Prepare VPN access if required
During the Engagement
- ☐ Maintain open communication with testing team
- ☐ Monitor for any service disruptions
- ☐ Document any critical findings reported immediately
- ☐ Be available for questions and clarifications
After the Engagement
- ☐ Schedule report delivery meeting
- ☐ Review findings with technical teams
- ☐ Create remediation plan with timelines
- ☐ Remove tester access and whitelist entries
- ☐ Schedule retest for critical findings
Pro Tips
- Start preparation at least 2 weeks before the engagement
- Involve development and operations teams early
- Document any known issues to avoid wasting testing time
- Ensure stakeholders understand the testing timeline