As with other types of projects, a penetration test should be carefully managed. This includes sequencing tasks and assigning resources to meet the schedule and objectives as outlined in the statement of work. Penetration testing, however, can be more fluid and dynamic than other types of projects. The direction of the investigation will evolve depending on findings. Teams need to be flexible and respond to changing conditions. Follow these best practices when assigning and sequencing activities in a penetration test:

  • Start with initial task sequencing based on these common pen test stages:
  1. Passive reconnaissance
  2. Active reconnaissance
  3. Vulnerability assessment
  4. Penetration
  5. Exploitation
  6. Post exploitation
  • Fit in non-technical tests such as social engineering and physical attacks at the earliest opportune moments.
  • Whenever possible, "front load" the test with as many early assignments as possible to leave extra time at the end for the unforeseen.
  • Give extra time to activities that are opportunity dependent (such as social engineering and physical attacks) or evasion-oriented (such as slow vulnerability scans).
  • Be prepared for findings to spawn new investigations.
  • Ensure that all investigations are driven by the requirements.
  • If you are training new pen testers, pair less experienced team members with more experienced testers unless that pairing might endanger the mission of a particular activity.
  • If a team member uncovers a serious problem that is outside the scope of the pen test, present the findings to the client and ask the client what they would like to do. Do not expand the scope of the investigation unless permitted by the SOW.
  • When you have your initial assignments and sequencing ready, call a tactical meeting to outline the plan to the team. In some cases, an experienced team might self-organize, and collaboratively determine sequencing and task allocation.