Z
zebbern
@mayurrathi
⭐ 40.7k GitHub stars

Pentest Checklist

Pentest Checklist is an code AI skill with a core value of This skill should be used when the user asks to \"plan a penetration test\", \"create a security assessment checklist\", \"prepare for penetration testing\", \"define pentest scope\", \"foll. It helps developers solve real-world problems in the code domain, boosting efficiency, automating repetitive tasks, and optimizing workflows.

This skill should be used when the user asks to \"plan a penetration test\", \"create a security assessment checklist\", \"prepare for penetration testing\", \"define pentest scope\", \"foll...

Last verified on: 2026-07-07

Quick Facts

Category code
Works With Claude
Source sickn33/antigravity-awesome-skills
Stars ⭐ 40.7k
Last Verified 2026-07-07
Risk Level High
mkdir -p ./skills/pentest-checklist && curl -sfL https://raw.githubusercontent.com/sickn33/antigravity-awesome-skills/main/skills/pentest-checklist/SKILL.md -o ./skills/pentest-checklist/SKILL.md

Run in terminal / PowerShell. Requires curl (Unix) or PowerShell 5+ (Windows).

Skill Content

# Pentest Checklist


Purpose


Provide a comprehensive checklist for planning, executing, and following up on penetration tests. Ensure thorough preparation, proper scoping, and effective remediation of discovered vulnerabilities.


Inputs/Prerequisites


- Clear business objectives for testing

- Target environment information

- Budget and timeline constraints

- Stakeholder contacts and authorization

- Legal agreements and scope documents


Outputs/Deliverables


- Defined pentest scope and objectives

- Prepared testing environment

- Security monitoring data

- Vulnerability findings report

- Remediation plan and verification


Core Workflow


Phase 1: Scope Definition


#### Define Objectives


- [ ] **Clarify testing purpose** - Determine goals (find vulnerabilities, compliance, customer assurance)

- [ ] **Validate pentest necessity** - Ensure penetration test is the right solution

- [ ] **Align outcomes with objectives** - Define success criteria


**Reference Questions:**

- Why are you doing this pentest?

- What specific outcomes do you expect?

- What will you do with the findings?


#### Know Your Test Types


| Type | Purpose | Scope |

|------|---------|-------|

| External Pentest | Assess external attack surface | Public-facing systems |

| Internal Pentest | Assess insider threat risk | Internal network |

| Web Application | Find application vulnerabilities | Specific applications |

| Social Engineering | Test human security | Employees, processes |

| Red Team | Full adversary simulation | Entire organization |


#### Enumerate Likely Threats


- [ ] **Identify high-risk areas** - Where could damage occur?

- [ ] **Assess data sensitivity** - What data could be compromised?

- [ ] **Review legacy systems** - Old systems often have vulnerabilities

- [ ] **Map critical assets** - Prioritize testing targets


#### Define Scope


- [ ] **List in-scope systems** - IPs, domains, applications

- [ ] **Define out-of-scope items** - Systems to avoid

- [ ] **Set testing boundaries** - What techniques are allowed?

- [ ] **Document exclusions** - Third-party systems, production data


#### Budget Planning


| Factor | Consideration |

|--------|---------------|

| Asset Value | Higher value = higher investment |

| Complexity | More systems = more time |

| Depth Required | Thorough testing costs more |

| Reputation Value | Brand-name firms cost more |


**Budget Reality Check:**

- Cheap pentests often produce poor results

- Align budget with asset criticality

- Consider ongoing vs. one-time testing


Phase 2: Environment Preparation


#### Prepare Test Environment


- [ ] **Production vs. staging decision** - Determine where to test

- [ ] **Set testing limits** - No DoS on production

- [ ] **Schedule testing window** - Minimize business impact

- [ ] **Create test accounts** - Provide appropriate access levels


**Environment Options:**

text
Production  - Realistic but risky
Staging     - Safer but may differ from production
Clone       - Ideal but resource-intensive

#### Run Preliminary Scans


- [ ] **Execute vulnerability scanners** - Find known issues first

- [ ] **Fix obvious vulnerabilities** - Don't waste pentest time

- [ ] **Document existing issues** - Share with testers


**Common Pre-Scan Tools:**

bash
# Network vulnerability scan
nmap -sV --script vuln TARGET

# Web vulnerability scan
nikto -h http://TARGET

#### Review Security Policy


- [ ] **Verify compliance requirements** - GDPR, PCI-DSS, HIPAA

- [ ] **Document data handling rules** - Sensitive data procedures

- [ ] **Confirm legal authorization** - Get written permission


#### Notify Hosting Provider


- [ ] **Check provider policies** - What testing is allowed?

- [ ] **Submit authorization requests** - AWS, Azure, GCP requirements

- [ ] **Document approvals** - Keep records


**Cloud Provider Policies:**

- AWS: https://aws.amazon.com/security/penetration-testing/

- Azure: https://docs.microsoft.com/security/pentest

- GCP: https://cloud.google.com/security/overview


#

🎯 Best For

  • Security auditors
  • DevSecOps teams
  • Compliance officers
  • QA engineers
  • Developers writing unit tests

💡 Use Cases

  • Auditing dependencies for known CVEs
  • Scanning API endpoints for auth gaps
  • Generating test cases for edge conditions
  • Writing integration test suites

📖 How to Use This Skill

  1. 1

    Install the Skill

    Copy the install command from the Terminal tab and run it. The SKILL.md file downloads to your local skills directory.

  2. 2

    Load into Your AI Assistant

    Open Claude and reference the skill. Paste the SKILL.md content or use the system prompt tab.

  3. 3

    Apply Pentest Checklist to Your Work

    Open your project in the AI assistant and ask it to apply the skill. Start with a small module to verify the output quality.

  4. 4

    Review and Refine

    Review AI suggestions before committing. Run tests, check for regressions, and iterate on the skill output.

❓ Frequently Asked Questions

Can this replace a dedicated SAST tool?

AI-based security review is complementary to SAST tools. Use it as a first-pass filter, not a replacement.

Does this generate test mocks?

Many testing skills include mock generation. Check the install command and skill content for details.

Is Pentest Checklist compatible with Cursor and VS Code?

Yes — this skill works with any AI coding assistant including Cursor, VS Code with Copilot, and JetBrains IDEs.

Do I need specific dependencies for Pentest Checklist?

Check the install command and Works With section. Most code skills only require the AI assistant and your codebase.

How do I install Pentest Checklist?

Copy the install command from the Terminal tab and run it. The skill downloads to ./skills/pentest-checklist/SKILL.md, ready to use.

⚠️ Common Mistakes to Avoid

Only scanning surface-level issues

Deep security review requires understanding your app architecture, not just regex patterns.

Not testing edge cases

AI tends to generate happy-path tests. Manually review for boundary conditions.

Skipping validation

Always test AI-generated code changes, even for simple refactors.

Missing dependency updates

Check if the skill requires updated dependencies or new packages.

🔗 Related Skills