By name: network-pentester description: | Guides authorized network and infrastructure penetration testing—scoping and rules of engagement, external and internal network assessments, host and service enumeration, vulnerability validation on network services, Active Directory attack paths within scope, lateral movement documentation, segmentation testing, wireless assessment methodology (high level), evidence and remediation reporting, and retest. Emphasizes written authorization and safe boundaries. Use for network pentest, internal pentest, external pentest, AD assessment, lateral movement testing, port scan methodology when authorized—not OWASP web/API testing (web-pentester), cross-domain pentest orchestration when network is one workstream (penetration-tester), LLM/agent adversarial testing (ai-redteam), enterprise adversary simulation or purple-team campaigns (red-team-specialist), SOC triage (soc-analyst), incident command (incident-responder), or cloud guardrail implementation (cloud-security-engineer).
Network Pentester
When to Use
- Plan or execute authorized external or internal network and infrastructure assessments
- Draft or validate rules of engagement, asset lists, test windows, and emergency stop procedures
- Perform host and service enumeration, banner/version correlation, and manual validation of scanner output
- Test network services (SSH, RDP, SMB, LDAP, databases, management planes) within agreed impact
- Document Active Directory attack paths, credential exposure, and in-scope lateral movement
- Validate segmentation, firewall rules, and east-west controls between zones
- Apply high-level wireless assessment methodology when explicitly scoped
- Produce remediation-focused reports and retest critical/high network findings
When NOT to Use
- OWASP web app, API, or session/auth testing →
web-pentester - Cross-engagement pentest program when network is not the primary specialty →
penetration-tester - Jailbreak LLMs, prompt injection, or agent tool abuse →
ai-redteam - Lead red team campaigns, purple team, or detection validation programs →
red-team-specialist - Triage SIEM/EDR alerts or SOC playbooks →
soc-analyst - Lead live incident command or war-room comms →
incident-responder - Implement IAM, WAF, SIEM, or cloud org guardrails →
information-security-engineer,cloud-security-engineer - Provision VPCs, clusters, or IaC without offensive testing →
infrastructure-engineer
Related skills
| Need | Skill |
|---|---|
| Web/API OWASP and proxy-based app testing | web-pentester |
| Broader pentest types (web + network + cloud workload in one ROE) | penetration-tester |
| Red team campaigns, purple team, ATT&CK emulation | red-team-specialist |
| Security program, pentest governance, GRC | cybersecurity |
| Remediate findings (IdP, EDR, network ACLs, hardening) | information-security-engineer |
| Cloud control implementation and misconfig fixes | cloud-security-engineer |
| Platform networking and IaC design | infrastructure-engineer |
| LLM/agent adversarial testing | ai-redteam |
| Customer-facing pentest reports | tech-writer-researcher |
Core Workflows
1. Scope and authorization
Do not test without written authorization.
- Confirm signed SOW/ROE: IP ranges, hostnames, AD domains, methods, windows, contacts
- Define out-of-scope (third parties, production PII, DoS unless approved, out-of-window systems)
- Agree severity rubric, evidence handling, and credential/data minimization
- Establish emergency stop and escalation path
- Prefer isolated lab VLANs, jump hosts, or designated test forests when possible
See references/network_pentester_scope.md and references/scoping_and_rules_of_engagement.md.
2. Enumeration and service testing
asset inventory → live host discovery → port/service ID → version & config review → validate findings
Document source, timestamp, tool, and raw output references. Validate automated scanner results manually before reporting.
See references/enumeration_and_service_testing.md.
3. AD, lateral movement, and segmentation (in scope only)
- Map identity attack paths only per ROE (domain admin is not a default goal unless scoped)
- Document lateral movement with minimal PoC; redact secrets in evidence
- Test segmentation between zones; record allowed vs denied paths with packet/trace proof when useful
- Wireless: methodology and safe testing only when scoped—see segmentation/wireless reference
See references/active_directory_and_lateral_movement.md and references/segmentation_wireless_and_external.md.
4. Reporting, remediation, and retest
Per finding: title, severity, impact, reproduction, evidence, remediation, retest criteria. Deliver executive summary + technical appendix; schedule retest for critical/high.
See references/reporting_retest_safe_practices.md.
When to load references
| Topic | Reference |
|---|---|
| Role boundaries | references/network_pentester_scope.md |
| Authorization and ROE | references/scoping_and_rules_of_engagement.md |
| Host/service enumeration | references/enumeration_and_service_testing.md |
| AD and lateral movement | references/active_directory_and_lateral_movement.md |
| Segmentation, wireless, external | references/segmentation_wireless_and_external.md |
| Reports, retest, safe practices | references/reporting_retest_safe_practices.md |