Vulnerability mapping is the act of recognizing the connection between a vulnerability and its associated target. The target can be a person, process, device, technology, physical (non-computer) object, etc. Having this mapping gives you a reference for choosing attack techniques and exploits. A vulnerability map is more comprehensive than the results of a single scan. It is a tactical document that is informed by all of your vulnerability scans. It can also contain non-technical information such as phishing targets and points of weak physical security. You update it with newly discovered vulnerabilities, and use it to plan your attacks. The vulnerability map can be a separate document, or part of your larger tactical planning document.

Activity Priorities

When pen testing, you want to give priority to activities that are most likely to achieve the client's requirements. Your day-to-day activities may have shifting priorities as investigations turn up promising leads or reach dead ends. Most pen tests are also time constrained, so you may have to shift priorities based on schedule and availability of targets or your own resources. When prioritizing activities, follow these best practices:

  • Project manage your pen test team resources to achieve client requirements within the given time constraints. Give early priority to activities that need extra time or are dependent on opportunity such as slow scans or social engineering.
  • Give priority to activities most likely to reveal new targets and attack vectors.
  • Consider strategically maximizing the timing of "quick wins" and compromising "low-hanging fruit" for political purposes, such as if the client needs to see successes during status briefings.