Back to blog

    Pentest Checklist: what should you include in a Pentest engagement?

    Sectricity Security TeamJanuary 5, 2026

    Complete pentest checklist for companies. Learn what to include in a pentest engagement to test real risks and avoid critical blind spots.

    PentestChecklistHuman ValidationEthical HackingCybersecurity

    Ordering a pentest sounds straightforward. You select a provider, sign a proposal, and receive a report. In reality, many pentests underdeliver because the pentest engagement is poorly defined. The result is shallow findings, missed risks, and reports that look technical but add little value.

    This checklist helps companies properly define a pentest engagement. Not to “test something,” but to test what actually matters.

    Why a well-defined pentest engagement matters

    A pentest is not a commodity. Its value depends largely on:

    • what is tested,
    • how deep testers are allowed to go,
    • and what outcomes are expected.

    When the engagement is vague, the result is often:

    • overreliance on automated scans,
    • little or no testing of business logic or attack paths,
    • reports that are technically correct but useless for decision-making.

    This checklist helps prevent that.

    The complete pentest checklist

    1. Define the objective of the pentest

    Start with why, not with systems.

    Ask clearly:

    • What do we want to learn from this pentest?
    • Are we testing external exposure, internal risk, or both?
    • Do we want a list of vulnerabilities, or proof of real exploitability?

    Without a clear objective, you will test broadly but learn very little.

    2. Define the scope clearly

    Scope ambiguity is one of the most common mistakes.

    Explicitly document:

    • Domains, subdomains, IP ranges
    • Applications, APIs, cloud environments
    • Production, staging, or test environments
    • What is explicitly out of scope

    A sharp scope enables focus and depth.

    3. Choose the right type of pentest

    Do not default to “standard.”

    • Black box: no prior knowledge, external attacker perspective
    • Grey box: limited information or test accounts
    • White box: full documentation and architectural insight

    In modern applications and cloud environments, grey- and white-box pentests usually provide far more value than pure black-box testing.

    4. Provide realistic access and test accounts

    Testing without access is rarely realistic.

    Consider providing:

    • User accounts (customer, employee, privileged where relevant)
    • API keys or tokens
    • Test data with realistic permissions

    Many critical issues only appear after authentication.

    5. Define allowed depth and attack paths

    Make it explicit how far ethical hackers may go.

    Examples:

    • Is privilege escalation allowed?
    • May sensitive data be accessed or only demonstrated?
    • Is lateral movement allowed?
    • Are brute-force attempts or phishing simulations in scope?

    Without clear permission, testers often stay overly conservative.

    6. Share business context and attack scenarios

    This is where the difference between a scan and a real pentest becomes clear.

    Provide context such as:

    • Critical business processes (payments, orders, customer data)
    • Third-party integrations
    • Known concerns or past incidents

    Ethical hackers can only test business logic if they understand the business.

    7. Safeguards for stability and continuity

    A pentest should never cause production incidents.

    Define upfront:

    • Testing windows
    • Impact limits
    • Emergency contacts
    • Stop conditions

    This builds trust with IT and operations teams.

    8. Define reporting expectations

    Reporting is where most value is either created or lost.

    Require explicitly:

    • An executive summary in plain language
    • Clear impact per finding
    • Reproducible steps
    • Practical and prioritised remediation advice
    • A distinction between theoretical issues and proven exploitation

    A good report supports decisions, not debates.

    9. Retesting and follow-up

    A pentest without follow-up is incomplete.

    Clarify:

    • Whether fixes will be retested
    • Within which timeframe
    • How is remediation success validated

    This prevents risks from disappearing only on paper.

    10. Be explicit about tooling versus human testing

    Clearly state expectations around:

    • automated scanning,
    • versus manual testing by ethical hackers.

    Automation has value, but real risk often sits in context, chaining, and human reasoning. Make that explicit in the engagement.

    Common mistakes in pentest engagements

    • “Test everything” without priorities
    • No test accounts provided
    • Reporting requirements not defined
    • Expecting tools to replace ethical hackers
    • No business context shared

    Each of these significantly reduces the value of a pentest.

    Conclusion

    A strong pentest starts long before testing begins. Companies that clearly define what they want to test, why it matters, and how deep testers may go receive better insights, more relevant findings, and reports that actually drive improvement.

    Or put simply: a solid pentest checklist helps you find blind spots before attackers do.