Pre-Pentest Checklist Part 2: Essential Questions to Answer Before Your Next Pentest

In Part 1 of our Pre-Pentest Checklist Series, we explored the foundational aspects of pentesting—focusing on the "what" and "why" to ensure your pentest not only meets compliance standards but also serves as a strategic asset in your security portfolio. In Part 2, we'll jump into the "when," "who," and "how," guiding you through a structured checklist, equipping you with the insights needed to initiate a pentest that's tailored to your organization's unique needs and security objectives. 

"When?"

1. When do you expect the pentest to kick off and conclude?
2. When do you need the final report?
3. When is the best time for your team to be involved in the pentest process?

"Who?"

1. Who should be informed about the pentest initiation, progress, and findings?
2. Who will be the primary point of contact for the pentesting team?
3. Who within your organization will be responsible for addressing the findings?

"How?"

1. How will the vendor communicate with you before, during, and after the pentest?
2. How will the pentesters access the in-scope assets?
3. How will the final deliverables be shared with you?

"When?"

1. When do you expect the pentest to kick off and conclude?

Defined timelines are crucial to meeting deadlines, especially when a pentest is part of a broader risk management strategy and impacts subsequent projects.

2. When do you need the final report?

On a similar note to the previous question, it is critical to inform the vendor as soon as possible of any deadlines to meet for the final report. It is standard to share the final report within a week of the pentest’s conclusion.

3. When is the best time for your team to be involved in a pentest?

Pentests are time-bound; therefore, ensuring that all key and relevant team members are available, have time to dedicate to and promptly respond to any questions before launching and during the pentest.

"Who?"

1. Who should be informed about the pentest?

If maintaining a low profile is not a primary objective, such as in a Red Team engagement, it is advisable to inform your organization's defenders about an upcoming penetration test. This will enable them to concentrate on actual threats rather than the traffic generated by an authorized penetration test.

It is common that pentesting teams will share the testing IP addresses so you can inform the appropriate individuals protecting your organization’s infrastructure, such as your Security Operations Centre (SOC) teams. This is expected, so feel free to ask the pentesting team for them.

2. Who will be the primary point of contact for the pentesting team?

Designating a person for this role can significantly improve the efficiency of the process and enhance collaboration throughout the pentest. 

Although it is preferable that this person be a Subject Matter Expert (SME) of the product or asset being tested, it is not mandatory. They will be responsible for addressing questions that the pentesters may have about the in-scope assets and how the different components interact and if they do not have the answers they should know who to contact within the organization to get the answers.

Furthermore, they can serve as a point of escalation for the pentesters in case a critical or high-severity vulnerability is discovered.

3. Who within your organization will be responsible for addressing the findings?

Identifying product owners and teams responsible for the asset being tested is crucial to address reported vulnerabilities during the pentest, especially the critical and high-severity ones requiring immediate attention.

"How?"

1. How will the vendor communicate with you before, during, and after the pentest?

Establishing open communication channels and promptly responding to any pentester questions is vital to a successful experience with your chosen pentest vendor.

This could be as simple and efficient as creating Slack channels for quick chat among members involved in the pentest. This is the most effective form of communication with a pentesting team and how we connect pentesting teams with customers at HackerOne. Slack communication can be both synchronous and asynchronous depending on availability, and it provides a documented timeline. Emails can be a slow means of communication while the pentest is ongoing, and phone calls are beholden to limitations of availability and scheduling.

2. How will the pentesters access the in-scope assets?

It is critical that the pentesters can hit the ground running on day 1 of the pentest; hence, validating that they can successfully access the in-scope assets is crucial.

• Are the assets Internet-facing or internal-only?
• Will the mobile apps be available in their respective stores? Alternatively, will they be available via TestFlight or as a .apk file?
• Do the pentesters need a VPN to connect and access the assets?
• Do you need to add their IP address to an allow-list on your perimeter devices?
• Will they need credentials to test? How will these be provisioned?

3. How will the final deliverables be shared with you?

Now, let's be very careful about how this occurs. You do not want to receive an unprotected PDF over email as the final report.

Ensure that the report is securely shared with you. Vendors are known to share these:

• Host it on their trusted pentest platform, which you can access and download.
• Use a mutually agreed upon secure file-share platform.
• A password-protected PDF is sent over email or other communication channels, where the password is shared out-of-band.

Conclusion

While a pentest can be a valuable tool for identifying and addressing security vulnerabilities and ultimately reducing risk for the organization, there needs to be more adequate preparation to avoid wasted resources and missed opportunities.

Being prepared with answers to the questions above can ensure a smooth and successful pentest experience for everyone involved.

HackerOne's Pentest as a Service (PTaaS) has revolutionized traditional pentesting by providing a comprehensive scoping form guiding you to launch pentests faster than ever, seamless communication between all parties involved, and comprehensive reporting with easy-to-follow remediation steps and demonstrate compliance. Moreover, dedicated Technical Engagement Managers are available to assist you throughout the process.