Pentest Checklist
Pentest Checklist is an code AI skill with a core value of This skill should be used when the user asks to \"plan a penetration test\", \"create a security assessment checklist\", \"prepare for penetration testing\", \"define pentest scope\", \"foll. It
helps developers solve real-world problems in the code domain, boosting
efficiency, automating repetitive tasks, and optimizing workflows.
This skill should be used when the user asks to \"plan a penetration test\", \"create a security assessment checklist\", \"prepare for penetration testing\", \"define pentest scope\", \"foll...
Quick Facts
mkdir -p ./skills/pentest-checklist && curl -sfL https://raw.githubusercontent.com/sickn33/antigravity-awesome-skills/main/skills/pentest-checklist/SKILL.md -o ./skills/pentest-checklist/SKILL.md Run in terminal / PowerShell. Requires curl (Unix) or PowerShell 5+ (Windows).
Skill Content
# Pentest Checklist
Purpose
Provide a comprehensive checklist for planning, executing, and following up on penetration tests. Ensure thorough preparation, proper scoping, and effective remediation of discovered vulnerabilities.
Inputs/Prerequisites
- Clear business objectives for testing
- Target environment information
- Budget and timeline constraints
- Stakeholder contacts and authorization
- Legal agreements and scope documents
Outputs/Deliverables
- Defined pentest scope and objectives
- Prepared testing environment
- Security monitoring data
- Vulnerability findings report
- Remediation plan and verification
Core Workflow
Phase 1: Scope Definition
#### Define Objectives
- [ ] **Clarify testing purpose** - Determine goals (find vulnerabilities, compliance, customer assurance)
- [ ] **Validate pentest necessity** - Ensure penetration test is the right solution
- [ ] **Align outcomes with objectives** - Define success criteria
**Reference Questions:**
- Why are you doing this pentest?
- What specific outcomes do you expect?
- What will you do with the findings?
#### Know Your Test Types
| Type | Purpose | Scope |
|------|---------|-------|
| External Pentest | Assess external attack surface | Public-facing systems |
| Internal Pentest | Assess insider threat risk | Internal network |
| Web Application | Find application vulnerabilities | Specific applications |
| Social Engineering | Test human security | Employees, processes |
| Red Team | Full adversary simulation | Entire organization |
#### Enumerate Likely Threats
- [ ] **Identify high-risk areas** - Where could damage occur?
- [ ] **Assess data sensitivity** - What data could be compromised?
- [ ] **Review legacy systems** - Old systems often have vulnerabilities
- [ ] **Map critical assets** - Prioritize testing targets
#### Define Scope
- [ ] **List in-scope systems** - IPs, domains, applications
- [ ] **Define out-of-scope items** - Systems to avoid
- [ ] **Set testing boundaries** - What techniques are allowed?
- [ ] **Document exclusions** - Third-party systems, production data
#### Budget Planning
| Factor | Consideration |
|--------|---------------|
| Asset Value | Higher value = higher investment |
| Complexity | More systems = more time |
| Depth Required | Thorough testing costs more |
| Reputation Value | Brand-name firms cost more |
**Budget Reality Check:**
- Cheap pentests often produce poor results
- Align budget with asset criticality
- Consider ongoing vs. one-time testing
Phase 2: Environment Preparation
#### Prepare Test Environment
- [ ] **Production vs. staging decision** - Determine where to test
- [ ] **Set testing limits** - No DoS on production
- [ ] **Schedule testing window** - Minimize business impact
- [ ] **Create test accounts** - Provide appropriate access levels
**Environment Options:**
Production - Realistic but risky
Staging - Safer but may differ from production
Clone - Ideal but resource-intensive#### Run Preliminary Scans
- [ ] **Execute vulnerability scanners** - Find known issues first
- [ ] **Fix obvious vulnerabilities** - Don't waste pentest time
- [ ] **Document existing issues** - Share with testers
**Common Pre-Scan Tools:**
# Network vulnerability scan
nmap -sV --script vuln TARGET
# Web vulnerability scan
nikto -h http://TARGET#### Review Security Policy
- [ ] **Verify compliance requirements** - GDPR, PCI-DSS, HIPAA
- [ ] **Document data handling rules** - Sensitive data procedures
- [ ] **Confirm legal authorization** - Get written permission
#### Notify Hosting Provider
- [ ] **Check provider policies** - What testing is allowed?
- [ ] **Submit authorization requests** - AWS, Azure, GCP requirements
- [ ] **Document approvals** - Keep records
**Cloud Provider Policies:**
- AWS: https://aws.amazon.com/security/penetration-testing/
- Azure: https://docs.microsoft.com/security/pentest
- GCP: https://cloud.google.com/security/overview
#
🎯 Best For
- Security auditors
- DevSecOps teams
- Compliance officers
- QA engineers
- Developers writing unit tests
💡 Use Cases
- Auditing dependencies for known CVEs
- Scanning API endpoints for auth gaps
- Generating test cases for edge conditions
- Writing integration test suites
📖 How to Use This Skill
- 1
Install the Skill
Copy the install command from the Terminal tab and run it. The SKILL.md file downloads to your local skills directory.
- 2
Load into Your AI Assistant
Open Claude and reference the skill. Paste the SKILL.md content or use the system prompt tab.
- 3
Apply Pentest Checklist to Your Work
Open your project in the AI assistant and ask it to apply the skill. Start with a small module to verify the output quality.
- 4
Review and Refine
Review AI suggestions before committing. Run tests, check for regressions, and iterate on the skill output.
❓ Frequently Asked Questions
Can this replace a dedicated SAST tool?
AI-based security review is complementary to SAST tools. Use it as a first-pass filter, not a replacement.
Does this generate test mocks?
Many testing skills include mock generation. Check the install command and skill content for details.
Is Pentest Checklist compatible with Cursor and VS Code?
Yes — this skill works with any AI coding assistant including Cursor, VS Code with Copilot, and JetBrains IDEs.
Do I need specific dependencies for Pentest Checklist?
Check the install command and Works With section. Most code skills only require the AI assistant and your codebase.
How do I install Pentest Checklist?
Copy the install command from the Terminal tab and run it. The skill downloads to ./skills/pentest-checklist/SKILL.md, ready to use.
⚠️ Common Mistakes to Avoid
Only scanning surface-level issues
Deep security review requires understanding your app architecture, not just regex patterns.
Not testing edge cases
AI tends to generate happy-path tests. Manually review for boundary conditions.
Skipping validation
Always test AI-generated code changes, even for simple refactors.
Missing dependency updates
Check if the skill requires updated dependencies or new packages.