| name | penetration-testing |
| description | Security testing and assessment methodologies. Use when conducting penetration tests, security assessments, or code reviews. |
| metadata | {"clawbot":{"emoji":"🔓"}} |
Penetration Testing
Testing Methodology
Reconnaissance → Scanning → Exploitation → Post-Exploitation → Reporting
Assessment Types
| Type | Scope | Knowledge | Duration |
|---|
| Black Box | External | No info | 1-2 weeks |
| Gray Box | Internal | Partial | 1-2 weeks |
| White Box | Full | Complete | 2-4 weeks |
| Red Team | Full org | Limited | 2-4 weeks |
OWASP Top 10 Testing Checklist
1. Broken Access Control
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable Components
7. Authentication Failures
8. Data Integrity Failures
9. Logging & Monitoring
10. SSRF
Pentest Report Template
## Penetration Test Report
### Executive Summary
- **Engagement**: [Type and scope]
- **Date**: [Testing period]
- **Overall Risk**: [Critical/High/Medium/Low]
- **Key Findings**: [Count by severity]
### Scope
- **In Scope**: [Systems, applications, networks]
- **Out of Scope**: [Exclusions]
- **Testing Approach**: [Methodology used]
### Findings Summary
| # | Finding | Severity | Status |
|---|---------|----------|--------|
| 1 | [Title] | Critical | Open |
### Detailed Findings
#### Finding 1: [Title]
- **Severity**: [Rating]
- **CVSS**: [Score]
- **Location**: [Affected component]
- **Description**: [Technical details]
- **Proof of Concept**: [Steps/screenshots]
- **Impact**: [Business impact]
- **Remediation**: [Recommended fix]
### Positive Observations
- [Security controls that worked well]
### Recommendations
- [Strategic security improvements]
Rules of Engagement
Before testing:
- Written authorization — Signed scope document
- Emergency contacts — Who to call if issues
- Testing windows — Agreed timeframes
- Notification — Who knows testing is happening
- Data handling — How to handle sensitive findings