Table of Contents

This is a draft and Work in Progress (last updated 11/23):

• How this book can help you

• Before the pentest: Be a guide
  • Target those who know they need
  • Be helpful by transparency
  • From lead generation to scoping
  • Scoping is the pentesters’ job
  • Scoping notes are mandatory
  • A simple PtA process
  • Guide your client through preparation
  • Kick-off: The final preparations
  • Announce the pentest

• Interlude: About good communication
  • The curse of knowledge
  • Face to face creates relationships
  • Effective Emails

• During the pentest
  • Two pentesters find thrice more
  • Status meeting: Present your findings
  • Report high risks immediately
  • Screenshot, collect notes, then report
  • A proven note taking structure
  • Communication Channels
  • Don’t put your target at risk
  • Time-box your organizational tasks

• Your report is your business card
  • A quick intro to technical writing
  • Leave out the fluff
  • A good title contains the impact
  • Summarize the impact
  • Explain the vulnerability
  • About good screenshots
  • A vulnerability scoring system
  • Executive Summary: The first comes last
  • What a report must contain
  • TODO: Maybe more chapters on report writing (?)

• After the pentest: Be a partner
  • Transmit your report securely
  • Include the retest in your calculation
  • Never refuse a final presentation
  • Responsible disclosure as a balancing act