Here are some guidelines you can follow when preparing for a pen test engagement.

  • Ensure that your team is well trained in the tasks they will undertake.
  • Make sure there is a clear chain of command with a clear communications path.
  • Train the team to consult their supervisor when confronted with an unexpected situation or decision.
  • Pair less experienced testers with more experienced ones unless it puts the activity at risk.
  • Ensure that the client's IT department (at least the managers) is aware of the test, and that they have good backups and contingency plans to restore affected systems.
  • Train your team to stay within the scope of the engagement unless authorized to expand their investigation.
  • Train your team to log evidence of previous or existing malicious activity, to continue with what they are doing, and to escalate findings for further instruction.
  • Ensure that the team fully documents their steps, collects as much data as possible, and uploads this information to a central repository for analysis.