Trusted cyber security policy development partnership - Siege Cyber Brisbane
Blog

How to Prepare for a Penetration Test: A Step-by-Step Checklist

If you have been asked to organise a penetration test, or you have decided it is time to get one done, you might be wondering what you actually need to do before the testers show up. The good news is that knowing how to prepare for penetration testing is straightforward once you understand what is involved.

Poor preparation is one of the most common reasons pentests deliver less value than they should. Testers end up chasing information that should have been ready on day one, scope creep causes delays, and the final report ends up missing context that would have made the findings more actionable.

This checklist covers everything you need to have sorted before your test begins.

 

 

Step 1: Define Your Scope

Before anything else, you need to decide what you actually want tested. Scope is the boundary of the engagement – it tells your testing team which systems, applications, environments, and assets are in play.

A vague scope wastes time and money. A well-defined scope means testers can go deeper on what actually matters.

Ask yourself:

  • Which systems are business-critical?

  • What would cause the most damage if it were compromised?

  • Are there any systems that must be excluded (for example, production systems where downtime is not an option)?

You do not need all the answers before you speak to a testing firm. A good provider will help you work through scoping as part of the engagement setup.

Step 2: Understand the Types of Penetration Testing

Not all penetration tests are the same. Understanding the types of penetration testing helps you communicate what you need and makes sure you are not paying for something that does not match your risk profile.

Here are the main types:

  • Network penetration testing – Tests your external and/or internal network infrastructure for weaknesses an attacker could exploit

  • Web application penetration testing – Focuses on your websites, web apps, and customer-facing portals

  • API penetration testing – Tests the security of your application programming interfaces, which are increasingly targeted by attackers

  • Cloud penetration testing – Assesses your cloud environment (AWS, Azure, GCP) for misconfigurations and vulnerabilities

  • Internal penetration testing – Simulates an insider threat or an attacker who has already gained a foothold inside your network

  • Wireless penetration testing – Evaluates the security of your Wi-Fi infrastructure

Most organisations need more than one type, particularly if they have a web presence, cloud infrastructure, and an internal network. Your testing provider should help you map this out.

Step 3: Get the Right Authorisations in Place

This one is non-negotiable. Penetration testing involves intentionally probing systems for vulnerabilities. Without written authorisation, you are exposing your testing provider – and yourself – to legal risk.

Make sure you have:

  • Written sign-off from senior leadership or the system owner

  • Confirmation from your cloud or hosting provider if third-party infrastructure is in scope (AWS, Azure, and GCP all have their own testing notification requirements)

  • A signed statement of work that clearly outlines the scope, timing, and rules of engagement

If you are testing systems that process or store personal data, consider your obligations under the Privacy Act 1988. You should confirm that testing activities will not inadvertently trigger a notifiable data breach.

Step 4: Gather Your Technical Documentation

The more context your testing team has, the more effective they can be. You do not need to hand over everything, but having the following ready will speed things up:

  • Network diagrams or architecture overviews

  • A list of IP addresses and hostnames in scope

  • Details of any recent changes to the environment

  • Existing security policies or controls documentation

  • Previous pentest reports, if applicable

 

Cyber incident response planning meeting at Siege Cyber Brisbane office

 

Step 5: Brief Your Internal Team

Your IT team, helpdesk, and security staff need to know a pentest is happening. If they notice unusual activity on the network and are unaware of the test, they may escalate it as a real incident – which creates unnecessary disruption and can compromise the test itself.

A brief heads-up with limited detail (so you do not influence behaviour) is usually enough. Nominate an internal point of contact so the testing team has someone to reach if they hit an unexpected issue during the engagement.

Not sure whether a penetration test is the right starting point for your organisation? Sometimes a security gap analysis makes more sense first – particularly if you are not certain where your biggest risks lie. Siege Cyber offers standalone gap analyses alongside a full range of penetration testing services. View our penetration testing services or explore our pricing.

Step 6: Plan What You Will Do With the Findings

A penetration test report is only useful if you are ready to act on it. Before the test begins, think about:

  • Who will review the report?

  • Who has authority to approve remediation work?

  • What is your process for prioritising fixes?

  • Do the findings need to be presented to a board or executive team?

Working this out in advance means you move faster after the report lands rather than spending weeks figuring out who is responsible for what.

What to Expect During the Test

A professional penetration test is a controlled, methodical process. Your testing team works within the agreed scope and rules of engagement, communicates with you throughout, and flags critical findings as they arise – not weeks later when the final report arrives.

After the Test: Turning Findings Into Action

The report is the beginning, not the end. A good pentest report categorises findings by risk level (critical, high, medium, low), explains what was found and why it matters, and gives you clear, prioritised recommendations.

Your next step is remediation. Depending on the findings, this might involve patching systems, reconfiguring network access controls, updating policies, or running developer security training. Many organisations schedule a retest once remediation is complete to confirm the vulnerabilities have been properly addressed.