Penetration Testing · Preparation Kit
Penetration Testing Readiness
Penetration testing preparation materials, from scope definition, rules of engagement, to remediation verification. Required in ISO 27001 (A.8.8), SOC 2 (CC7.1), PCI-DSS (Req 11), HIPAA Security Rule.
Get pTrackly support →1. Scope & Objectives
- □ Define scope: IP ranges, domains, applications in test scope
- □ Out of scope: systems not to be tested (customer data stores, third-party services)
- □ Test objectives: external pentest, internal pentest, web app pentest, API pentest, cloud pentest
- □ Test type: black-box (no knowledge) vs gray-box (partial) vs white-box (full access)
2. Rules of Engagement (RoE)
- □ Testing window: when to test (business hours? after hours? weekends?)
- □ Authorized testers: list of pentest team IP addresses
- □ Contact list: who gets notified in emergency (system down, data exposure)
- □ Escalation path: if critical finding, report immediately or wait until end?
- □ Social engineering scope: is phishing employees allowed?
3. Select Pentest Provider
- □ Certifications: OSCP, GPEN, CREST, CEH (team must have at least 1 cert)
- □ Experience: worked with similar industry? (healthtech, fintech, SaaS)
- □ Methodology: OWASP Testing Guide, PTES, NIST SP 800-115
- □ Report quality: request sample report before signing contract
- □ Compliance familiarity: does provider understand ISO 27001 / SOC 2 / PCI-DSS requirements?
4. Pentest Execution
- □ Kick-off call: confirm scope, RoE, contact list
- □ Testing duration: typically 1-3 weeks depending on scope
- □ Daily standups (optional): if you want to track progress real-time
- □ Mid-test check-in: any critical findings needing immediate attention?
5. Report & Remediation
- □ Pentest report: executive summary, findings with CVSS score, exploit steps, recommendations
- □ Finding prioritization: critical → high → medium → low
- □ Remediation plan: who handles which finding, deadline
- □ Retest: after fixes, request retest to verify (usually included in contract)
- □ Attestation letter: some auditors require pentest attestation letter
6. Frequency & Compliance Requirements
- □ ISO 27001: periodic penetration testing (not specified, typically annually)
- □ SOC 2: annual pentest recommended, requirement depends on TSC scope
- □ PCI-DSS: annual external pentest + after any significant change (mandatory)
- □ HIPAA: not mandatory but highly recommended (consider as addressable)
pTrackly helps you implement Penetration Testing faster with ready-made templates and automated evidence collection.
Get Free DemoReady to get audit-ready?
Book a 15-minute call. See the platform. Decide if it fits.
Book Free Demo 15 min, no commitment No credit card required Setup in 24 hours Cancel anytime