Guidelines for Preparing Background Findings for Next Steps

When preparing background findings for next steps:

• Clearly determine what "next steps" actually means for your pen test.
• Analyze findings to determine how to weaponize them in future phases.
• Consider findings within a bigger picture, not in a vacuum.
• Discard irrelevant findings and focus on findings that are actionable and relevant.
• Determine how public IP addresses map to resources like web servers that you can later target.
• Consider how you may use public IP addresses as entry points into the private network.
• Determine which subdomains may be worth targeting due to how they're named.
• Leverage information from third-party sites to learn more about an organization and its people.
• Consider how the people information you gather can help shape your later testing.
• Leverage people information in conducting social engineering tests.
• Use gathered technology information to identify potential vulnerabilities.
• Consider that the presence of certain technology might imply the target organization relies on a specific vendor in other areas.
• Record your findings and next steps in a document for easy reference.