Skip to main content
Open source Β· MIT Β· 100% in-browser

PentestingChecklist

The penetration tester's companion. A comprehensive, hands-on collection of security assessment checklists you actually work through, across 23 platforms and every layer of a real engagement.

Start an assessment β†’How to use itStar

1,792 checks Β· 413 technologies Β· 121 categories Β· 23 platforms Β· runs entirely in your browser, no login, no backend, no telemetry

A checklist you operate

Not docs to read. Expand a category, drill into a technology, and tick checks as you go. Progress and per-check notes are tracked at every level.

Find any check instantly

Press ⌘K from any page to search every platform, category, technology, check, tool, and reference. Select a result and it expands and highlights the exact check.

Private & offline

No accounts, no database, no telemetry. Your progress and findings live in your browser. Export to Markdown, CSV, Excel, or JSON, and re-import to resume.

Built to scale as data

Every check is a typed object. Add a check, a technology, or a whole platform by editing one data file, and the type system and CI validate it. The UI never changes.

Every platform, one framework

Across 23 platforms, from web, API, and mobile to Active Directory, cloud, Kubernetes, LLM, and forensics. Each is its own checklist organised by category, technology, and check. Pick where you're testing and work top to bottom.

Web ApplicationAssess modern web apps end to end299 checksAPIREST & GraphQL, OWASP API Top 1075 checksMobileiOS & Android, OWASP MASVS53 checksThick ClientDesktop & native applications68 checksSecure Code ReviewSource-level vulnerability discovery89 checksCloudAWS, Azure, GCP misconfiguration68 checksDevSecOpsSecurity across the SDLC60 checksNetworkInfrastructure & service testing72 checksWi-FiWireless network assessment67 checksFirewallPerimeter & ruleset testing56 checksActive DirectoryDomain enumeration to DA126 checksInfrastructureHosts, services & hardening51 checksMCP SecurityModel Context Protocol servers/tools68 checksLLM SecurityOWASP LLM Top 1065 checksThreat ModelingSTRIDE, attack trees, trust boundaries58 checksConfiguration ReviewHardening & baseline review67 checksContainers & KubernetesImages, runtime & cluster security64 checksCI/CDPipeline & supply-chain attacks58 checksIoTDevice, firmware & radio68 checksBlockchainSmart contracts & Web355 checksPhishing AssessmentSocial-engineering campaigns66 checksOSINTOpen-source intelligence gathering60 checksForensicsEvidence acquisition & analysis79 checks