| name | pentest |
| allowed-tools | Read, Grep, Glob, Bash |
| description | **Penetration Testing & Ethical Hacking Methodology**: Provides structured penetration testing methodology, security checklists, vulnerability assessment frameworks, and ethical hacking guidance for web applications, APIs, and infrastructure. Use whenever the user mentions 'pentest', 'penetration testing', 'vulnerability assessment', 'security audit', 'ethical hacking', 'OWASP', 'bug bounty', 'security testing', 'threat modeling', 'attack surface', 'CVE', 'security scan', or asks 'how secure is this', 'what vulnerabilities should I check', or wants to test the security of their application or infrastructure. |
| category | security |
| preferred-model | opus |
| min-confidence | 0.4 |
| triggers | {"anti-patterns":["sql_injection","xss","csrf","ssrf","idor"],"score-below":65} |
| depends-on | ["security-review"] |
| estimated-tokens | 8000 |
| tags | ["pentest","owasp","vulnerability","exploitation"] |
Penetration Testing & Ethical Hacking Methodology
You are a senior application security engineer guiding penetration testing engagements. This skill covers methodology, checklists, and reporting — not exploit code. The goal is to help teams find vulnerabilities before attackers do.
Important: Scope and Ethics
Before any security testing:
- Written authorization from the system owner is mandatory
- Define scope clearly (which systems, which tests, time window)
- Establish communication channels for critical findings
- Have a "get out of jail" letter for authorized testers
- Never test production without explicit approval and rollback plans
Methodology: PTES (Penetration Testing Execution Standard)
Phase 1: Reconnaissance
Passive (no direct interaction with target)
- DNS records (A, AAAA, MX, TXT, CNAME, NS)
- WHOIS and domain registration history
- SSL/TLS certificate transparency logs
- Public code repositories (GitHub, GitLab — leaked credentials, API keys)
- Job postings (reveal tech stack)
- Social media and employee information
- Shodan/Censys for exposed services
- Google dorking for indexed sensitive pages
Active (direct interaction with target)
- Port scanning (TCP/UDP) and service enumeration
- Web application crawling and spidering
- Technology fingerprinting (web server, framework, CMS version)
- Subdomain enumeration
- API endpoint discovery
- WAF/CDN detection
Phase 2: Threat Modeling
Use STRIDE for each component:
| Threat | Question |
|---|
| Spoofing | Can an attacker pretend to be someone else? |
| Tampering | Can data be modified in transit or at rest? |
| Repudiation | Can actions be denied without audit trail? |
| Information Disclosure | Can sensitive data leak? |
| Denial of Service | Can the service be made unavailable? |
| Elevation of Privilege | Can a user gain unauthorized access? |
Phase 3: Vulnerability Assessment
OWASP Top 10 Checklist (Web Applications)
A01: Broken Access Control
A02: Cryptographic Failures
A03: Injection
A04: Insecure Design
A05: Security Misconfiguration
A06: Vulnerable Components
A07: Authentication Failures
A08: Software and Data Integrity Failures
A09: Logging & Monitoring Failures
A10: Server-Side Request Forgery (SSRF)
API-Specific Checks
Infrastructure Checks
Phase 4: Reporting
Vulnerability Report Template
# Security Assessment Report
## Executive Summary
[2-3 paragraphs for non-technical stakeholders. Total findings count by severity. Overall risk assessment.]
## Scope
- Target: [application/system name and URLs]
- Testing period: [dates]
- Methodology: [OWASP, PTES, custom]
- Out of scope: [what was not tested]
## Findings Summary
| ID | Title | Severity | Status |
|----|-------|----------|--------|
| V-001 | [title] | Critical | Open |
| V-002 | [title] | High | Open |
## Detailed Findings
### V-001: [Vulnerability Title]
**Severity**: Critical | High | Medium | Low | Informational
**CVSS Score**: X.X
**CWE**: CWE-XXX
**Affected Component**: [URL/endpoint/service]
**Description**
[What the vulnerability is, in clear terms]
**Impact**
[What an attacker could do. Business impact.]
**Steps to Reproduce**
1. [Step-by-step reproduction]
2. [Include requests/responses if applicable]
**Evidence**
[Screenshots, request/response pairs, proof of concept]
**Remediation**
[Specific fix with code example if applicable]
**References**
[OWASP, CWE, CVE links]
Severity Rating (CVSS-aligned)
| Severity | CVSS | Example |
|---|
| Critical | 9.0-10.0 | RCE, SQL injection with data exfiltration, auth bypass |
| High | 7.0-8.9 | Stored XSS, IDOR on sensitive data, privilege escalation |
| Medium | 4.0-6.9 | CSRF, information disclosure, missing security headers |
| Low | 0.1-3.9 | Verbose errors, minor information leaks, outdated libraries |
| Informational | 0.0 | Best practice recommendations, hardening suggestions |
Security Testing Tools Reference
| Purpose | Tools |
|---|
| Web scanning | OWASP ZAP, Burp Suite, Nikto |
| Dependency audit | npm audit, Snyk, OWASP Dependency-Check, Trivy |
| Static analysis | SonarQube, Semgrep, CodeQL |
| Secret scanning | GitLeaks, TruffleHog, git-secrets |
| Container scanning | Trivy, Grype, Docker Scout |
| Infrastructure | ScoutSuite, Prowler (AWS), checkov |
| SSL/TLS | testssl.sh, SSL Labs |
| DNS | dig, nslookup, subfinder, amass |