Penetration Testing SOP

Standard Operating Procedure for security penetration testing engagements

Service Pillar: Protect Service Category: Security Assessment Target Duration: 1-3 weeks Related Pricing: See Pricing & Positioning

---

Service Overview

Purpose

Conduct authorized penetration testing to identify exploitable vulnerabilities in networks, applications, and systems, providing evidence-based remediation recommendations.

Target Personas

Persona	Primary Pain Point	Value Case
CTO/VP Engineering	Security posture validation, customer requirements	Prove security to customers
Managing Partner (Legal)	Client data protection, liability reduction	Demonstrate due diligence
Healthcare Admin	HIPAA technical safeguards validation	Technical control verification

Business Justification

Metric	Value	Source
Average breach cost	$4.88 million	IBM Cost of a Data Breach 2024
Vulnerabilities found per pentest (average)	15-30 findings	SBK client data
Critical vulnerabilities per assessment	3-5 typical	Industry analysis
Cost of breach vs pentest	100:1 ratio	Ponemon Institute
Organizations requiring annual pentests	70%+ (SOC 2, PCI, HIPAA)	Compliance requirements

---

Pricing Reference

Type	Scope	Price Range	Duration
External Network	Internet-facing infrastructure	$8,000-$15,000	1 week
Internal Network	Internal network and systems	$12,000-$25,000	1-2 weeks
Web Application	Single application	$10,000-$20,000	1-2 weeks
Mobile Application	iOS/Android app	$12,000-$22,000	1-2 weeks
Comprehensive	External + Internal + Web	$25,000-$50,000	2-3 weeks

See Pricing & Positioning for complete pricing structure.

---

Pre-Engagement

Qualification Checklist

• Written authorization obtained
• Scope boundaries defined
• Testing window confirmed
• Emergency contacts established
• Third-party notifications (cloud providers, hosting)
• Legal review completed (if required)
• Insurance verification (E&O, cyber liability)

Authorization Requirements

Required Documentation: | Document | Purpose | Template Available | |----------|---------|-------------------| | Statement of Work | Defines scope, timeline, deliverables | Yes | | Rules of Engagement | Permitted techniques, boundaries | Yes | | Authorization Letter | Legal permission to test | Yes | | Emergency Contact Sheet | Escalation during testing | Yes |

Scope Definition

Scope Element	Details to Capture
IP Ranges	In-scope and out-of-scope IPs
Domains	Target domains and subdomains
Applications	Specific URLs, functionality
Credentials	Authenticated testing accounts (if applicable)
Timing	Testing hours, blackout periods
Exclusions	Systems, techniques, or actions prohibited

---

Testing Methodology

Engagement Types

Type	Approach	Information Provided
Black Box	No prior knowledge	Target IPs/domains only
Gray Box	Partial knowledge	Architecture, some credentials
White Box	Full knowledge	Source code, full documentation

Testing Standards

SBK pentests align with industry-recognized methodologies:

Standard	Application
PTES	Penetration Testing Execution Standard - Overall framework
OWASP Testing Guide	Web application testing
OWASP MASTG	Mobile application testing
NIST SP 800-115	Technical guide for information security testing

---

Testing Process

Phase 1: Reconnaissance (Day 1-2)

Objective: Gather information about target environment

Passive Reconnaissance

Technique	Tools	Information Gathered
DNS enumeration	dig, dnsdumpster, sublist3r	Subdomains, mail servers, DNS records
OSINT	theHarvester, Maltego, LinkedIn	Email addresses, employee names, tech stack
Certificate transparency	crt.sh, certspotter	Subdomains, certificate details
Archive research	Wayback Machine, Google dorks	Historical information, leaked data

Active Reconnaissance

Technique	Tools	Information Gathered
Port scanning	Nmap, masscan	Open ports, services, versions
Service enumeration	Nmap scripts, banner grabbing	Detailed service information
Web technology	Wappalyzer, WhatWeb, Builtwith	Frameworks, libraries, CMS

Phase 2: Vulnerability Assessment (Day 2-4)

Objective: Identify potential vulnerabilities

Assessment Type	Approach	Tools
Automated scanning	Vulnerability scanners	Nessus, Qualys, OpenVAS
Manual verification	Confirm scanner findings	Manual testing
Configuration review	Security misconfigurations	Custom scripts, manual
Web application	OWASP Top 10 assessment	Burp Suite, ZAP, sqlmap

Phase 3: Exploitation (Day 4-8)

Objective: Attempt to exploit identified vulnerabilities

Exploitation Guidelines: - Only exploit vulnerabilities within scope - Document all exploitation attempts - Avoid data modification unless authorized - Stop and notify client if sensitive data accessed - Maintain detailed logs of all activities

Common Attack Vectors

Category	Techniques	MITRE ATT&CK Reference
Initial Access	Phishing (if authorized), public exploits, default credentials	T1566, T1190, T1078
Execution	Command injection, code execution	T1059, T1203
Privilege Escalation	Misconfigurations, kernel exploits, credential theft	T1068, T1548
Lateral Movement	Pass-the-hash, RDP, SMB	T1550, T1021
Data Access	Database access, file extraction	T1005, T1039

Phase 4: Post-Exploitation (Day 6-9)

Objective: Demonstrate impact and identify additional risks

Activity	Purpose
Privilege escalation	Demonstrate full system compromise potential
Lateral movement	Identify additional accessible systems
Data access assessment	Identify accessible sensitive data
Persistence (simulated)	Demonstrate attacker persistence capability
Evidence collection	Gather proof of access for reporting

Phase 5: Reporting (Day 8-12)

Objective: Document findings and remediation recommendations

---

Deliverables

Penetration Test Report

Structure:

1. Executive Summary (2-3 pages)
2. Scope and objectives
3. Testing methodology
4. Key findings summary
5. Risk rating overview

6. Priority recommendations

7. Technical Findings (varies)

8. Finding ID and title
9. Severity rating
10. Affected systems
11. Description
12. Proof of concept
13. Business impact
14. Remediation recommendation

15. References (CVE, CWE)

16. Attack Narrative (2-4 pages)

17. Step-by-step compromise path
18. Screenshots and evidence

19. Business impact demonstration

20. Remediation Roadmap

21. Prioritized action items
22. Quick wins identified

23. Timeline recommendations

24. Appendices

25. Full vulnerability list
26. Tool output
27. Testing logs (sanitized)

Severity Classification

Severity	Definition	CVSS Range	Remediation Timeline
Critical	Immediate compromise, RCE, data breach	9.0-10.0	7 days
High	Significant compromise potential	7.0-8.9	30 days
Medium	Moderate risk, requires chaining	4.0-6.9	60 days
Low	Minimal impact, informational	0.1-3.9	90 days
Informational	Best practice, hardening	N/A	As resources allow

---

Quality Assurance

Internal Review Checklist

• All scope elements tested
• Findings have proof of concept
• Severity ratings consistent with CVSS
• Remediation recommendations actionable
• Executive summary non-technical
• No sensitive data in report
• Attack narrative clear

Testing Quality Standards

Metric	Requirement
False positive rate	<5%
Coverage	100% of in-scope targets
Documentation	All activities logged
Verification	Critical/High findings manually verified

---

Safety Protocols

Testing Boundaries

Always	Never
Work within defined scope	Test out-of-scope systems
Notify before high-risk actions	Perform denial of service attacks
Stop if production impacted	Modify or delete production data
Use encrypted channels	Access client data beyond PoC
Document all activities	Share findings with unauthorized parties

Emergency Procedures

Scenario	Action
Production impact detected	Stop testing immediately, notify client
Sensitive data discovered	Document, do not access further, notify client
Active threat detected	Notify client immediately, preserve evidence
Testing detected by security tools	Notify client, confirm expected

---

Post-Delivery

Remediation Verification

Service	Scope	Investment
Retest	Verify critical/high findings fixed	$2,000-$5,000
Full Retest	Complete retest after remediation	50% of original engagement

Follow-Up Cadence

Touchpoint	Timing	Purpose
Report walkthrough	Within 1 week	Ensure understanding
30-day check-in	30 days	Critical finding status
90-day follow-up	90 days	Remediation progress
Annual engagement	12 months	Annual pentest

---

Related Services

Service	Connection	SOP Reference
Vulnerability Management	Ongoing vulnerability scanning	vulnerability-management-sop.md
Risk Assessment	Risk context for findings	risk-assessment-sop.md
Incident Response	If active threat discovered	incident-response-sop.md
vCISO	Ongoing security oversight	vcto-vciso-engagement-sop.md

---

Evidence Base

Why This Approach Works

Principle	Evidence	Source
Manual testing essential	30-40% of critical findings missed by automated tools	Industry analysis
Realistic attack simulation	Validates security investments	PTES
Business context	Prioritization based on actual impact	NIST guidance
Remediation focus	Actionable findings enable improvement	SBK client outcomes

SBK Success Metrics

Metric	Target	Measurement
Finding accuracy	>95% verified	Retest validation
Client satisfaction	4.5+/5.0	Post-engagement survey
Remediation rate	80%+ critical/high	90-day follow-up
Repeat engagement rate	60%+	Annual return

---

Regulatory References

• PTES - Penetration Testing Execution Standard
• OWASP Testing Guide
• OWASP Mobile Application Security
• NIST SP 800-115
• MITRE ATT&CK Framework

---

Last Updated: February 2026 Version: 1.0