Penetration Testing · Preparation Kit

Penetration Testing Readiness

Penetration testing preparation materials, from scope definition, rules of engagement, to remediation verification. Required in ISO 27001 (A.8.8), SOC 2 (CC7.1), PCI-DSS (Req 11), HIPAA Security Rule.

Get pTrackly support →

1. Scope & Objectives

  • Define scope: IP ranges, domains, applications in test scope
  • Out of scope: systems not to be tested (customer data stores, third-party services)
  • Test objectives: external pentest, internal pentest, web app pentest, API pentest, cloud pentest
  • Test type: black-box (no knowledge) vs gray-box (partial) vs white-box (full access)

2. Rules of Engagement (RoE)

  • Testing window: when to test (business hours? after hours? weekends?)
  • Authorized testers: list of pentest team IP addresses
  • Contact list: who gets notified in emergency (system down, data exposure)
  • Escalation path: if critical finding, report immediately or wait until end?
  • Social engineering scope: is phishing employees allowed?

3. Select Pentest Provider

  • Certifications: OSCP, GPEN, CREST, CEH (team must have at least 1 cert)
  • Experience: worked with similar industry? (healthtech, fintech, SaaS)
  • Methodology: OWASP Testing Guide, PTES, NIST SP 800-115
  • Report quality: request sample report before signing contract
  • Compliance familiarity: does provider understand ISO 27001 / SOC 2 / PCI-DSS requirements?

4. Pentest Execution

  • Kick-off call: confirm scope, RoE, contact list
  • Testing duration: typically 1-3 weeks depending on scope
  • Daily standups (optional): if you want to track progress real-time
  • Mid-test check-in: any critical findings needing immediate attention?

5. Report & Remediation

  • Pentest report: executive summary, findings with CVSS score, exploit steps, recommendations
  • Finding prioritization: critical → high → medium → low
  • Remediation plan: who handles which finding, deadline
  • Retest: after fixes, request retest to verify (usually included in contract)
  • Attestation letter: some auditors require pentest attestation letter

6. Frequency & Compliance Requirements

  • ISO 27001: periodic penetration testing (not specified, typically annually)
  • SOC 2: annual pentest recommended, requirement depends on TSC scope
  • PCI-DSS: annual external pentest + after any significant change (mandatory)
  • HIPAA: not mandatory but highly recommended (consider as addressable)

pTrackly helps you implement Penetration Testing faster with ready-made templates and automated evidence collection.

Get Free Demo

Ready to get audit-ready?

Book a 15-minute call. See the platform. Decide if it fits.

Book Free Demo 15 min, no commitment
No credit card required Setup in 24 hours Cancel anytime
Book a Demo