This repository has been archived by the owner on Sep 8, 2021. It is now read-only.
Folders and files Name Name Last commit message
Last commit date
parent directory
View all files
Regulatory compliance considerations
Payment Card Industry Data Security Standard (PCI DSS)
General Data Protection Regulation (GDPR)
Location restrictions
Country limitations
Tool restrictions
Local laws
Local government requirements
Privacy requirements
Legal concepts
Service-level agreement (SLA)
Confidentiality
Statement of work
Non-disclosure agreement (NDA)
Master service agreement
Permission to attack
Standards and methodologies
MITRE ATT&CK
Open Web Application Security Project (OWASP)
National Institute of Standards and Technology (NIST)
Open-source Security Testing Methodology Manual (OSSTMM)
Penetration Testing Execution Standard (PTES)
Information Systems Security Assessment Framework (ISSAF)
Rules of engagement
Time of day
Types of allowed/disallowed tests
Other restrictions
Environmental considerations
Network
Application
Cloud
Target list/in-scope assets
Wireless networks
Internet Protocol (IP) ranges
Domains
Application programming
interfaces (APIs)
Physical locations
Domain name system (DNS)
External vs. internal targets
First-party vs. third-party hosted
Validate scope of engagement
Question the client/review contracts
Time management
Strategy
Unknown-environment vs. known-environment testing
Background checks of penetration testing team
Adhere to specific scope of engagement
Identify criminal activity
Immediately report breaches/criminal activity
Limit the use of tools to a particular engagement
Limit invasiveness based on scope
Maintain confidentiality of data/information
Risks to the professional
Fees/fines
Criminal charges
You can’t perform that action at this time.