Readiness Packet · Pentest Readiness Packet
Pen Test & Red Team Readiness Packet
Define targets, authorization, rules of engagement, access, testing windows, evidence handling, and deliverables before active testing begins.
Turn vague “we need a pentest” demand into a scoped, authorized, procurement-ready testing engagement.
Testing only proceeds against targets your organization owns, controls, or is explicitly authorized to assess. Active exploitation, adversarial testing, cloud testing, and red team activity require documented Rules of Engagement before testing begins.
Who this is for
- Security, AppSec, and product security teams that need a scoped, authorized test
- Cloud and platform teams testing infrastructure and IAM boundaries
- AI/ML teams hardening copilots, RAG, and agents against adversarial abuse
- GRC, founders, and CTOs who need a procurement-ready engagement
What the packet includes
- Scope Brief
- Rules of Engagement
- Authorization Statement
- Target Inventory
- Access Plan
- Evidence Handling Plan
- Emergency Contacts
- Testing Window
- Draft SOW Inputs
- Retest / Deliverables Plan
- Cloud Provider Policy Notes
Testing types supported
What we collect
Before testing starts, we define what is in scope, who authorized it, what techniques are allowed, what is prohibited, how evidence is handled, how issues are escalated, and what deliverables the buyer needs.
What we never collect in public forms
- Secrets, access keys, or production credentials
- Regulated or customer data
- Anything that implies authorization without explicit confirmation
Credential exchange happens only after NDA/SOW/ROE through an approved secure channel.
AWS / cloud testing boundary
Cloud testing scope distinguishes customer-owned targets from provider infrastructure, active testing from configuration review, and standard testing from special-approval activities. See the Cloud Testing Boundary Addendum.
AI / LLM / agentic red team boundary
Agent testing bounds tools, actions, approvals, and rollback before exercising abuse paths. See the Agentic Workflow ROE Addendum.
Build your packet
Prepare the pentest before the testers show up.
Fill in what you know. The readiness status, required contracts, and packet preview update live. Copy the packet or take it into scoping — nothing here authorizes testing.
Do not submit secrets, access keys, production credentials, or regulated data here. Credential exchange happens only after NDA/SOW/ROE through an approved secure channel. This intake captures what is in scope, who authorized it, and how access will be provisioned.
Desired testing type
Testing style
Testing only proceeds against targets your organization owns, controls, or is explicitly authorized to assess.
Pen Test & Red Team Readiness Packet — preview
Cobalt-style onboarding for scoped security testing, adversarial review, cloud assessment, and AI/agentic red teaming.
Engagement Snapshot
- Company: To be specified during scoping
- Requested testing: Web / API pentest
- Testing style: To be specified during scoping
- Engagement driver: To be specified during scoping
- Desired window / deadline: To be specified during scoping
- Production in scope: No
- Readiness status: Needs authorization
Authorization Summary
- Company legal name: To be specified during scoping
- Requestor: To be specified during scoping
- Authorized representative: To be specified during scoping
- Technical owner: To be specified during scoping
- Security owner: To be specified during scoping
- Owns / controls / authorized to test confirmed: No
- Third-party targets included: No
Target Inventory
- No named targets yet — required before testing.
In Scope
- To be specified during scoping
Out of Scope
- Any system, account, or data source not named in the Target Inventory
- Destructive testing
- Persistence
- Data exfiltration
- Denial of service
Testing Style
- To be specified during scoping
Allowed Techniques
- Confirmed in writing during scoping
Prohibited Techniques
- Destructive testing
- Persistence
- Data exfiltration
- Denial of service
- Phishing
- Social engineering
- Malware
- Credential stuffing
- Password spraying
- Production data modification
- Third-party impact
- Testing outside named targets
- Prohibited by default unless explicitly authorized in the Rules of Engagement.
Testing Window
- Start: To be specified during scoping
- End: To be specified during scoping
- Hours: To be specified during scoping
- Blackout dates: None identified
Access Plan
- Authenticated testing required: No
- Roles to test: To be specified during scoping
- Test accounts available: No
- SSO / MFA: Not required
- VPN / IP allowlist: Not required
- Access provisioning: To be specified during scoping
- Credential delivery: Secure channel after NDA/SOW/ROE — never via public forms
Data Handling Plan
- Data sensitivity: To be specified during scoping
- Production data in scope: No
- Personal / regulated / payment / health data: None indicated
- Secrets must be masked: Yes
- Data exfiltration allowed: No
- Sample data only: No
- DPA required: No
Evidence Capture Rules
- Evidence location: Access-controlled encrypted store available only to named delivery contacts
- Screenshots allowed: Yes
- Logs may be collected: Yes
- Redaction required: Yes
- Retention: 30 days or until final delivery
- Deletion after engagement: Yes
Communication Plan
- Primary channel: To be specified during scoping
- Daily update required: No
- Finding notification threshold: high_and_critical
- Business hours: To be specified during scoping
- Report recipients: To be specified during scoping
Emergency / Stop Conditions
- Emergency contact: To be specified during scoping
- Stop-testing contact: To be specified during scoping
- Escalation contact: To be specified during scoping
- Incident escalation process: Immediate notification to the stop-testing contact; testing pauses on request.
- Testing stops immediately on request from the stop-testing contact.
Deliverables
- Executive summary
- Technical report
- Evidence pack
Retest Plan
- Retest requested: No
- Severity model: CVSS + business risk
- Retest confirms remediation of findings within an agreed window after fixes land.
Draft SOW Inputs
- Targets: 0 named
- Window: To be specified during scoping
- Engagement type: Web / API pentest
- Budget category: AppSec / product security / pentest budget
- Deliverables: 3 selected
Required Contracts
- Mutual NDA — Confidentiality before any scope or access is shared.
- Assessment Terms Addendum — Defines authorized testing boundaries, safe harbor, and reliance limits.
- Evidence Handling Policy — How testing evidence is captured, stored, redacted, and retained.
- Statement of Work — Targets, testing window, deliverables, and retesting.
- No-Cost Scoping Retainer — Scope and plan the engagement before any paid work or active testing.
Open Questions
- Authorization not confirmed (owner / controls / authorized representative)
- Target inventory (at least one named, authorized target)
- Emergency / stop-testing contact (name + phone)
- Evidence-handling plan (storage location, retention, redaction)
This packet is generated from your inputs to prepare a scoped, authorized, procurement-ready engagement. It is not an authorization to test and is not legal advice; testing proceeds only under signed agreements against targets you own, control, or are explicitly authorized to assess.