Table of Contents
This is a draft and Work in Progress (last updated 11/23):
- How this book can help you
- Before the pentest: Be a guide
- Target those who know they need
- Be helpful by transparency
- From lead generation to scoping
- Scoping is the pentesters’ job
- Scoping notes are mandatory
- A simple PtA process
- Guide your client through preparation
- Kick-off: The final preparations
- Announce the pentest
- Interlude: About good communication
- The curse of knowledge
- Face to face creates relationships
- Effective Emails
- During the pentest
- Two pentesters find thrice more
- Status meeting: Present your findings
- Report high risks immediately
- Screenshot, collect notes, then report
- A proven note taking structure
- Communication Channels
- Don’t put your target at risk
- Time-box your organizational tasks
- Your report is your business card
- A quick intro to technical writing
- Leave out the fluff
- A good title contains the impact
- Summarize the impact
- Explain the vulnerability
- About good screenshots
- A vulnerability scoring system
- Executive Summary: The first comes last
- What a report must contain
- TODO: Maybe more chapters on report writing (?)
- After the pentest: Be a partner
- Transmit your report securely
- Include the retest in your calculation
- Never refuse a final presentation
- Responsible disclosure as a balancing act