Checklists
These are the boring lists that catch the stupid mistakes — the ones I would make on engagement #12 because I made them on engagement #11.
Pre-engagement
- Signed contract / engagement letter on file
- Scope document confirmed in writing (URLs, IPs, time windows)
- Out-of-scope assets explicitly enumerated
- Allowed techniques confirmed (automated scanners? brute force? DoS?)
- Emergency contact + escalation path documented
- Test accounts received and verified (one per role)
- VPN credentials / network access tested before the engagement starts
- Burp + tooling licenses up to date
- Local environment encrypted (FileVault / LUKS verified active)
- Project folder created with date-stamped name
Daily during engagement
- Backup of Burp project file to encrypted storage
- Notes pushed to local repo (encrypted)
- Findings log updated
- No client data on shared cloud drives, Slack, or email
- All scan output redacted before any screen-share
Pre-report
- Every finding has been independently re-tested from a clean session
- Severity / CVSS vector justified
- Impact statement is concrete, not aspirational
- Remediation guidance is implementable, not “use a WAF”
- Screenshots redacted of client-identifiable info beyond what is needed
- Report PDF generated, password-protected
- Password sent via separate channel (not email)
Post-engagement
- Report acknowledged by client
- Retest scheduled (or declined in writing)
- All client data wiped from working environment per data-retention policy
- Burp project file archived to encrypted cold storage
- Lessons learned added to personal notes
- Invoice sent
The hardest one to remember is the data-wipe. Put a calendar reminder for it the day the report ships.