1. Plan

A sound plan for your Penetration Test will help to keep you focused throughout the process.

Understand the client's scope

Understand why your client wants a Penetration test. Primarily, answer the popular 5 Ws and H (Who, What, Why, Where, When, and How). Understanding their motivation and requirements will help you identify the appropriate strategy, set realistic timelines, outline limitations, identify additionally needed information, and ultimately meet expectations.

Choose a strategy

Once you understand your client's requirements, you can choose an appropriate strategy. Typically, there are three (3 strategies :

White Box - The client shares a fair amount of private information to help you identify and understand your targets and the infrastructure. (e.g. version information, types of firewalls, IDS, IPS, client's IPs, client's domains, minimal infrastructure details, allow-list for Pentester IPs)

Grey Box - The client shares very limited private information about their network and systems (e.g. IPs, domains, minimal infrastructure details, allow-list for Pentester IPs).

Black Box - The client does not share any identifying details about their network and systems because they want you to simulate a real-world stranger attacking the network (e.g. client would confirm targets after your passive reconnaissance but no IDS/IPS exceptions for the IPs you'll be testing from).