Skip to main content This skill should be used when the user asks to "plan a penetration test", "create a security assessment checklist", "prepare for penetration testing", "define pentest scope", "follow security testing best practices", or needs a structured methodology for penetration testing engagements.
npx skills add sickn33/antigravity-awesome-skills --skill "Pentest Checklist" agentic-skills ai-agents antigravity claude-code mcp ai-workflows
AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.
Pentest Checklist
Purpose
Provide a comprehensive checklist for planning, executing, and following up on penetration tests. Ensure thorough preparation, proper scoping, and effective remediation of discovered vulnerabilities.
Inputs/Prerequisites
Clear business objectives for testing
Target environment information
Budget and timeline constraints
Stakeholder contacts and authorization
Legal agreements and scope documents
Outputs/Deliverables
Defined pentest scope and objectives
Prepared testing environment
Security monitoring data
Vulnerability findings report
Remediation plan and verification
Core Workflow
Phase 1: Scope Definition
Define Objectives
Reference Questions:
Why are you doing this pentest?
What specific outcomes do you expect?
What will you do with the findings?
Know Your Test Types Type Purpose Scope External Pentest Assess external attack surface Public-facing systems Internal Pentest Assess insider threat risk Internal network Web Application Find application vulnerabilities Specific applications Social Engineering Test human security Employees, processes Red Team Full adversary simulation Entire organization
Enumerate Likely Threats
Define Scope
Budget Planning Factor Consideration Asset Value Higher value = higher investment Complexity More systems = more time Depth Required Thorough testing costs more Reputation Value Brand-name firms cost more
Cheap pentests often produce poor results
Align budget with asset criticality
Consider ongoing vs. one-time testing
Phase 2: Environment Preparation
Prepare Test Environment Production - Realistic but risky
Staging - Safer but may differ from production
Clone - Ideal but resource-intensive
Run Preliminary Scans # Network vulnerability scan
nmap -sV --script vuln TARGET
# Web vulnerability scan
nikto -h http://TARGET
Review Security Policy
Notify Hosting Provider
Freeze Developments
Phase 3: Expertise Selection
Find Qualified Pentesters Factor Questions to Ask Experience Years in field, similar projects Methodology OWASP, PTES, custom approach Reporting Sample reports, detail level Communication Availability, update frequency
Define Methodology Type Access Level Simulates Black Box No information External attacker Gray Box Partial access Insider with limited access White Box Full access Insider/detailed audit
Define Report Format
Executive summary for management
Technical findings with evidence
Risk ratings and prioritization
Remediation recommendations
Retesting guidance
Phase 4: Monitoring
Implement Security Monitoring # Check security logs
tail -f /var/log/auth.log
tail -f /var/log/apache2/access.log
# Monitor network
tcpdump -i eth0 -w capture.pcap
Configure Logging
Authentication events
Application errors
Network connections
File access
System changes
Monitor Exception Tools
Watch Security Tools
Phase 5: Remediation
Ensure Backups
Reserve Remediation Time
Patch During Testing Policy
Cleanup Procedure
Schedule Next Pentest Testing Frequency Factors:
Release frequency
Regulatory requirements
Risk tolerance
Past findings severity
Quick Reference
Pre-Pentest Checklist □ Scope defined and documented
□ Authorization obtained
□ Environment prepared
□ Hosting provider notified
□ Team briefed
□ Monitoring enabled
□ Backups verified
Post-Pentest Checklist □ Report received and reviewed
□ Findings prioritized
□ Remediation assigned
□ Fixes implemented
□ Verification testing scheduled
□ Environment cleaned up
□ Next test scheduled
Constraints
Production testing carries inherent risks
Budget limitations affect thoroughness
Time constraints may limit coverage
Tester expertise varies significantly
Findings become stale quickly
Examples
Example 1: Quick Scope Definition **Target:** Corporate web application (app.company.com)
**Type:** Gray box web application pentest
**Duration:** 5 business days
**Excluded:** DoS testing, production database access
**Access:** Standard user account provided
Example 2: Monitoring Setup # Enable comprehensive logging
sudo systemctl restart rsyslog
sudo systemctl restart auditd
# Start packet capture
tcpdump -i eth0 -w /tmp/pentest_capture.pcap &
Troubleshooting Issue Solution Scope creep Document and require change approval Testing impacts production Schedule off-hours, use staging Findings disputed Provide detailed evidence, retest Remediation delayed Prioritize by risk, set deadlines Budget exceeded Define clear scope, fixed-price contracts
When to Use This skill is applicable to execute the workflow or actions described in the overview.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).