Pentest Preparation Checklist
Learn what you need to prepare to set up a pentest with Cobalt.
The information you need to prepare before launching a pentest depends on your asset type:
- Web application
- Mobile application
- API
- External network
- Internal network
- Cloud configuration
- AI/LLM application
- Combined assets
Web Application
Information needed to set up your pentest:
- Depending on the type of your web application:
- Traditional application: The number of dynamic pages. A dynamic page is a web page with dynamic content that a user can interact with.
- Count the number of dynamic pages based on unique page templates.
- Read-only static pages are not counted because there is no interaction.
- A product catalog is not counted because the page workflow is not unique.
- Single-page application: The number of routes in the application. In single-page applications using frameworks such as Angular, React, Ember, Backbone, or Meteor, logical separation of content is handled by routes. Routes provide unique URLs to specific content within the application. As an example, read the React Router documentation to learn more about routing.
- Traditional application: The number of dynamic pages. A dynamic page is a web page with dynamic content that a user can interact with.
- Basic information about the user roles, such as:
- The number of different role types you want to test
- Permission structure for user roles
- Application URLs or domain names
- Test credentials for each pentester
- Technology stack
- What’s in and out of scope for the pentest (for example, APIs)
- Product walk-through or documentation, if available
- If the scope is not publicly available, allowlist Cobalt IPs
- Special requirements for the pentest, if any
- Optional:
- User role matrix
- List of priorities (for example, focus on new features or specific workflows)
- Attack vectors you’re most concerned about
Learn how to scope a pentest for a web app in the Cobalt UI.
Mobile Application
Information needed to set up your pentest:
- Operating systems (OSes) the application runs on:
- Native applications are built to run on a specific mobile operating system, such as iOS or Android.
- Non-native applications are built to run on multiple operating systems.
- Application framework
- Access to your application:
- Downloadable links, if the application is publicly available
- IPA or APK files, if the application is not publicly available
- If the application is not in production yet, TestFlight or Crashlytics access
- Test credentials for each pentester
- Technology stack
- What’s in and out of scope for the pentest (for example, APIs)
- Product walk-through or documentation, if available
- Special requirements for the pentest, if any
Learn how to scope a pentest for a mobile app in the Cobalt UI.
API
Information needed to set up your pentest:
- Depending on the type of your API:
- RESTful API: The number of endpoints in the API. Ignore specific parameters and HTTP methods for each endpoint.
- GraphQL API: The number of queries and mutations in your API. For pentest purposes, that’s functionally equivalent to the number of RESTful API endpoints.
- Sample requests and responses
- Basic information about the user roles, such as:
- The number of different role types you want to test
- Permission structure for user roles
- Technology stack
- Documentation, if available: Swagger, Postman, SoapUI projects or OpenAPI files
- Special requirements for the pentest, if any
Learn how to scope a pentest for an API in the Cobalt UI.
External Network
Information needed to set up your pentest:
- The number of active hosts in the network:
- An explicit number of live hosts; or
- A CIDR block along with a saturation percentage
- IPs or IP ranges
- Domain names
- High-level overview of the network (preferably, with a network diagram)
- Special requirements for the pentest, if any
Learn how to scope a pentest for an external network in the Cobalt UI.
Internal Network
Information needed to set up your pentest:
- The number of active hosts in the network
- IPs or IP ranges
- Remote connectivity method
- Proper positioning on the network to assess the environment (network visibility)
- For PCI pentests, the need for segmentation testing
- Special requirements for the pentest, if any
- Other considerations that may affect the scope: for example, multiple jump boxes on the network
Learn how to scope a pentest for an internal network in the Cobalt UI.
Because Cobalt pentesters execute pentests for internal networks remotely, they need:
- Access to the internal corporate network through a stable VPN connection
- A lightweight Linux server inside the network that serves as a jump box from which pentesters can scan and test the internal network during the assessment
Depending on your network setup, do the following:
- For networks running on Amazon Web Services (AWS) machines:
- Create a Kali Virtual Machine (VM) inside AWS.
- Set up key-based SSH access for each pentester.
- For networks that don’t use a cloud network setup:
- Download a Kali VMWare/VirtualBox image.
- Set up key-based SSH access for each pentester.
Note
Recommended system resources for the virtual image (VMWare, VirtualBox, or AWS) should be at least:
- 2 allocated virtual CPUs
- 8 GB RAM
- 50 GB of disk space
Pentesters also need Root access to the Kali VM, which is mandatory.
Cloud Configuration
Cobalt pentesters can test services on the following platforms:
- Google Cloud Platform (GCP)
- Amazon Web Services (AWS)
- Microsoft Azure Cloud (Azure)
Each platform includes different categories of services, such as EC2, databases, and machine learning engines.
Information needed to set up your pentest:
- Your cloud platform: GCP, AWS, or Azure
- Depending on your cloud platform, the number of User Accounts, Projects, or Resource Groups:
- GCP: The cloud configuration size is based on Projects. In Identity and Access Management (IAM), access is managed through IAM policies. An IAM policy can be attached to a Google Cloud Project. Each policy contains a collection of role bindings that associate one or more principals, such as users or service accounts, with an IAM role.
- AWS: The number of AWS accounts within the AWS Organization. The IAM user that pentesters will use to enumerate and assess AWS configurations is set based upon these accounts.
- Azure: Subscriptions may contain various Resource Groups—containers that hold related resources for an Azure solution. The CIS Benchmark for Azure is assessed at the Subscription level.
- The number of unique services in the configuration. Unique services are the different functionalities that you’ve configured in your cloud deployment.
- Examples of services: EC2, S3, Comprehend, Kubernetes, Azure Bot Service, Cloud Storage, Azure Container Service.
- Cobalt sizes Unique Instance of Services Used for Cloud Configuration Reviews as we’re enumerating configurations, not hosts. Example: 100 EC2 instances using the same base image are considered redundant from the configuration perspective and counted as 1 unique service.
- High-level overview of the cloud setup: Providers and Services (preferably, with diagrams)
- IAM read-only access for pentesters (for example, SecurityAudit and ViewOnlyAccess for AWS)
- Special requirements for the pentest, if any
Learn how to scope a pentest for a cloud configuration in the Cobalt UI.
AI/LLM application
Information needed to set up your pentest:
- The number of LLM features you want to test
- LLM model details: Specify the type of LLM (e.g., GPT-3, BERT, LaMDA). If it’s a custom model, provide as much information as possible about its architecture and training data
- LLM intended use cases: Outline the capabilities of the LLM (e.g., generate text, translate languages, answer questions, write code)
- Access to your application:
- via an API, a web interface, or a locally hosted model
- provide relevant endpoints or access credentials for each pentester
- Technology stack
- What’s in and out of scope for the pentest (for example, APIs)
- Product walk-through or documentation, if available
- Special requirements for the pentest, if any
- Other considerations that may affect the scope: the complexity of the AI/LLM system (number of models, architecture), the deployment environment (cloud, on-premise), or the data pipeline (origin, processing, storage)
Learn how to scope an AI/LLM pentest.
Combined Assets
For an asset that combines multiple asset types, follow the guidelines for each type:
- Web + API
- Web + API + External Network
- Web + External Network
- Web + Mobile