Communication

Client Communication

If the engagement is going well and there are not any critical findings, you may only reach out to the client a couple times. If there are no findings, everything is low importance, there may not be any reason to reach out to them that much.

If you run into something critical, break into the network, log into a web server, get any kind of RCE, you need to let them know immediately. If you can breach the external network, there is a chance that someone else has already done it. They will need to patch the vulnerability asap.

Kick off email example:

Good Morning Jacky Chan,

The external pentest is about to begin. Per our agreement, we will be testing the following IPs/ranges:

200.120.30.0/24

All pentesting activity will be performed from the following IP address:

192.168.1.1

If out testing triggers any alerting for you, please notify us at your earliest convenience so we can notate this in the report.

Finally, if you need anything at all during the testing, you can reach me at this email or by the phone number listed below.

Thank you,
Hacker Bob

Hacker Joes's Hacking
Hacker Joe, Pen Testing Engineer 
555-555-1212 | email@domain.com

You can automate the process, set up emails to be sent and scans to start before you sit down to start work so you have some data to start looking at right away. Just make sure you keep the client happy so they don’t go to someone else for pentests. Communication is a high priority.