1. Plan

A sound plan for your Penetration Test will help to keep you focused throughout the process.

Understand the client's scope

Understand why your client wants a Penetration test. Primarily, answer the popular 5 Ws and H (Who, What, Why, Where, When, and How). Understanding their motivation and requirements will help you identify the appropriate strategy, set realistic timelines, outline limitations, identify additionally needed information, and ultimately meet expectations.

Choose a strategy

Once you understand your client's requirements, you can choose an appropriate strategy. Typically, there are three (3 strategies :

White Box - The client shares a fair amount of private information to help you identify and understand your targets and the infrastructure. (e.g. version information, types of firewalls, IDS, IPS, target IPs, target domains, minimal infrastructure details, allow-list for Pentester IPs)

Grey Box - The client shares very limited private information about the targets (e.g. target IPs, target domains, minimal infrastructure details, allow-list for Pentester IPs).

Black Box - The client does not share any identifying details about targets and intends to simulate real-world stranger attacking the network (e.g. client would confirm targets after pentester reconnaissance but no allow-list for Pentester IPs).