--- name: pentest-engagement description: Penetration testing engagement planning — scoping, ROE drafting, phased timeline, MITRE ATT&CK mapping, kickoff/closeout dokumantasyonu. Triggers on engagement plan, ROE, rules of engagement, scoping, pentest plan, phased plan, MITRE mapping, attack matrix, kickoff, closeout. license: MIT compatibility: Works with Claude Code allowed-tools: Read Write Edit Grep metadata: author: badi badi-version: ">=1.24.0" category: pentest scope: advisory inspired-by: 0xSteph/pentest-ai-agents engagement-planner --- # pentest-engagement Yetkili penetration testing engagement'i icin **planning + scoping + ROE** dokumantasyonu uretir. ## Triggers - "pentest plan hazirla" - "ROE taslagi cikar" - "scoping document" - "engagement timeline" - "MITRE ATT&CK matrix" - "kickoff meeting agenda" - "closeout rapor sablonu" ## Deliverable'lar 1. **Scope Document** (in-scope, out-of-scope, kisitlar) 2. **Rules of Engagement (ROE)** (yasak teknikler, calisma saatleri, escalation path) 3. **Phased Timeline** (kickoff -> recon -> exploit -> post-ex -> reporting -> closeout) 4. **MITRE ATT&CK Mapping** (her faza karsilik gelen Tactic + Technique listesi) 5. **Communication Plan** (musteri contact, escalation contact, incident response) 6. **Acceptance Criteria** (kapsanan testler, raporlama, deliverable listesi) ## Scope Document Sablonu ```markdown # Engagement Scope — ## In-Scope - IP Ranges: 10.0.0.0/16, 192.168.50.0/24 - Domains: *.example.com, app.example.com - Cloud Accounts: AWS 123456789012 (production us-east-1) - Test Tipi: External / Internal / Web App / Cloud / Red Team ## Out-of-Scope - Production DB direct query - Email/Phishing musteri calisani - DoS / stress testing - 3. taraf SaaS (Stripe, SendGrid, vb.) ## Restrictions - Calisma saatleri: Hafta ici 09:00-17:00 (TR) - Aggressive scan: Sadece kullanici onayli pencerede - Data exfil: Yok — sadece kanit dosyasi (max 1MB) ## Authorization - Letter of authorization: - Musteri imza: - Pentest firma imza: ``` ## Phased Plan Sablonu (5 Phase) | Faz | Sure | Aktivite | MITRE Tactic | |-----|------|----------|--------------| | 1. Recon | 1-2 gun | OSINT, subdomain enum, port scan | TA0043 Reconnaissance | | 2. Initial Access | 2-3 gun | Web app exploit, phishing sim, AD attack | TA0001 Initial Access | | 3. Post-Exploit | 3-4 gun | Privesc, lateral, persistence, exfil sim | TA0004/TA0008/TA0003/TA0010 | | 4. Detection | 1-2 gun | SIEM/EDR coverage gap | TA0042 Resource Development (defansif) | | 5. Report | 2-3 gun | Bulgu yazimi, CVSS, remediation, debrief | — | ## MITRE ATT&CK Mapping Her bulgu icin minimum 1 ATT&CK Technique ID belirt (T1059, T1078, vb.). Mapping: ```yaml finding: SQL Injection in /api/users mitre: tactic: TA0001 (Initial Access) techniques: - T1190 (Exploit Public-Facing Application) detection: - Sigma rule: web/sql_injection.yml remediation: priority: P0 effort: 8h ``` ## Kickoff Meeting Agenda (1 saat) 1. Scope review + signoff (10 dk) 2. ROE walkthrough + restrictions (15 dk) 3. Communication channel + escalation (10 dk) 4. Asset inventory hand-off (15 dk) 5. Q&A + ilk gun planning (10 dk) ## Closeout Meeting Agenda (1.5 saat) 1. Executive summary (10 dk) 2. Top 3 critical finding walkthrough (30 dk) 3. Remediation roadmap (20 dk) 4. Detection rule hand-off (15 dk) 5. Lessons learned (15 dk) ## Cikti Konumu Engagement basinda olustur: ``` engagements/-/ scope.md roe.md timeline.md mitre-mapping.yml contacts.md ``` ## Out-of-Scope (Bu Skill Yapmaz) - Live komut composer'lama (pentest-recon, pentest-web vb. yapar) - Exploit guide uretmek (pentest-exploit-chain yapar) - Rapor yazma (pentest-report yapar) Bu skill **sadece planning + scoping doc** uretir.